Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2
GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool
|
GREYVIBE | likely | 1 office.cip.ua.gov@gmail.com / offic... | 1 Google Drive-hosted malicious RAR a... | 3 bd3f35b91bf83427e953d4cf531a0ee4b5e... | 2 PhantomRelayV2 watchdog / RzUpdateM... | 6 nycpartnersenterprise.com | 13e / 13r | 2026-05-31 19:17:43 |
levelblue.2026.sapphire-sleet-macos-fake-zoom-update
Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure
|
BlueNoroff | confirmed | 1 Zoom SDK Update.scpt | — | 2 /Library/LaunchDaemons/com.google.w... | 4 com.apple.cli profiling component | 14 check02id.com | 21e / 21r | 2026-05-30 11:17:36 |
securelist.2026.pirated-content-silentcryptominer-rat
Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure
|
unknown | confirmed | 2 pirated movie/TV streaming and digi... | 4 {domain}.strangled.net | 3 urush1bar4.online | 9 malicious DLL side-loaded by HLS In... | 8 5d14vnfb.space | 26e / 33r | 2026-05-28 19:43:28 |
jumpsec.2026.blacktoad-autoit-remcos-network-blackout
BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain
|
BlackToad | confirmed | 1 Thai-language image-based financial... | — | 7 MediaFire-hosted malware download l... | 1 payload.bin / decoded Remcos Pro implant | 7 pmitm.ddns.net | 16e / 25r | 2026-05-28 16:12:38 |
wiz.2026.jinx-0164-audiofix-fake-driver-macos
JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain
|
JINX-0164 | confirmed | 2 LinkedIn recruiter / business-partn... | — | 3 https://apple.driver-update.io/trou... | 6 https://apple.driver-store.com/mac/... | 5 datahub.ink | 16e / 16r | 2026-05-28 13:44:27 |
wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain
JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain
|
JINX-0164 | confirmed | 2 https://www.npmjs.com/package/@velo... | — | 5 http://89.36.224.5/troubleshoot/mac... | 3 0a8ab3d16b12d3a453ee5a3208fe04744ad... | 5 datahub.ink | 15e / 17r | 2026-05-28 13:43:20 |
microsoft.2026.poisoned-search-screenconnect-gpu-miner
Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2
|
unknown | confirmed | 1 attacker-controlled lookalike utili... | — | 5 direct-download.gleeze.com | 7 autorun.dll variant set loaded by l... | 7 directdownload.icu | 20e / 23r | 2026-05-27 17:02:04 |
gamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
|
MB-0001 | confirmed | 2 6aa9741f8b8629d0398049fa91dc5e7c28f... | 5 hxxps://www.telegram[.]me/s/natural_blood | 3 %APPDATA%\Microsoft\Windows\Start M... | 1 Pteranodon Stage-2 loader | 2 194.67.71.75 | 13e / 13r | 2026-05-27 12:22:36 |
uat-10027-dohdoor-education-healthcare-2026-02-26
UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care
|
UAT-10027 | likely | 1 suspected phishing-delivered PowerS... | 1 cloudflare-dns.com DoH resolver ove... | 3 remote staging URL serving .bat or ... | 2 Dohdoor malicious DLL disguised as ... | 2 http://GppiwoGwNdiakkDU.pnuiSckMHwa... | 9e / 11r | 2026-05-27 12:09:14 |
powmix-czech-workforce-2026-04-16
PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce
|
unknown | likely | 1 malicious ZIP archive with complian... | — | 3 Windows shortcut file inside ZIP | 1 PowMix PowerShell botnet payload | 3 herokuapp.com based C2 endpoint | 8e / 8r | 2026-05-27 12:05:45 |
Technique pressure
top observed IIM techniquesActor surface
published chain attributionwithsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2
GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool
WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine’s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.
levelblue.2026.sapphire-sleet-macos-fake-zoom-update
Sapphire Sleet macOS fake Zoom SDK update to reflective beacon and C2/exfiltration infrastructure
IIM chain for LevelBlue SpiderLabs research published on 2026-05-28. The report describes a Sapphire Sleet / BlueNoroff / UNC1069 macOS campaign targeting financial, Web3, venture-capital and cryptocurrency environments. Initial access uses social engineering around a fake video meeting and a fake Zoom SDK update component. The user executes Zoom SDK Update.scpt, which opens in macOS Script Editor and drives an osascript/curl/shell chain using task-specific User-Agents mac-cur1 through mac-cur5. Follow-on components include com.apple.cli profiling tooling, a native-looking systemupdate.app Mac Password Popup credential harvester, TCC.db abuse through Finder, a LaunchDaemon plist for persistence, an icloudz backdoor component, and the in-memory com.google.chromes.updaters beacon agent. Exfiltration is staged into /tmp zip archives and uploaded over remote upload/exfil ports. LevelBlue publishes C2 domains, C2 IPs, operational ports, hashes, and strategic forensic paths; exact lure accounts, meeting URLs, and per-domain DNS mappings are not published and are therefore not invented in this chain.
securelist.2026.pirated-content-silentcryptominer-rat
Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure
IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.
jumpsec.2026.blacktoad-autoit-remcos-network-blackout
BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain
IIM chain for JUMPSEC DART research published on 2026-05-27. The campaign starts with a Thai-language, image-based financial payment-slip phishing email containing a MediaFire link, delivers a masqueraded .pdf.scr WinRAR SFX executable, launches a VBS loader, runs a renamed AutoIt3 interpreter with an obfuscated AutoIt script and INI-like configuration, decodes a substitution-hex encoded Remcos payload, and connects to three Dynamic-DNS C2 domains on port 50240. The report highlights a network-blackout execution window using ipconfig /release before AutoIt execution and ipconfig /renew afterwards; this behavior is kept as evidence/context because it is host execution logic rather than a separate network infrastructure node. The actual MediaFire URL and original recipient details were not published and are therefore not invented.
wiz.2026.jinx-0164-audiofix-fake-driver-macos
JINX-0164 fake meeting / fake driver AUDIOFIX macOS chain
IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 developer targeting against cryptocurrency organizations. The chain models LinkedIn / fake meeting social engineering, a fake technical error / driver-fix page, bash dropper delivery from driver-themed infrastructure, architecture-aware AUDIOFIX payload delivery, macOS LaunchAgent persistence, HTTPS C2 with fallback domains, and related resolved infrastructure. It intentionally does not invent the exact LinkedIn profile, victim-specific meeting URL, or unpublished per-victim lure domain beyond the indicators Wiz listed.
wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain
JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain
IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.
microsoft.2026.poisoned-search-screenconnect-gpu-miner
Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2
IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime
gamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.
uat-10027-dohdoor-education-healthcare-2026-02-26
UAT-10027 Dohdoor Cloudflare-fronted DoH C2 chain targeting education and health care
Cisco Talos reported an ongoing campaign active since at least December 2025 against U.S. education and health care victims. The modeled chain follows the PowerShell downloader, remote batch script, C2-hosted malicious DLL retrieval, Dohdoor loader execution, DNS-over-HTTPS resolution through Cloudflare, Cloudflare-fronted C2 communication, and reflective next-stage payload retrieval
powmix-czech-workforce-2026-04-16
PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce
Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.