Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor
Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control
|
unknown | confirmed | 1 compromised WordPress plugin/theme ... | 4 hxxps://steamcommunity[.]com/profil... | 3 commentthread_comment_text invisibl... | 3 hxxps://hello-mywordl[.]info/js/lod... | 2 <compromised WordPress site> POST /... | 13e / 17r | 2026-05-30 11:26:11 |
seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2
Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2
|
unknown | confirmed | 3 spearphishing ZIP attachment contai... | — | 7 data\empty.vbs | 2 UnityPlayer.dll / RUSTCLOAK Rust loader | 2 note1ggbbhggdwa1.blob.core.windows.net | 14e / 20r | 2026-05-29 20:05:53 |
glassworm.2026.developer-supply-chain.multi-resolver-c2
Glassworm developer supply-chain infection to redundant multi-resolver C2
|
Glassworm | confirmed | 4 Trojanized VS Code / OpenVSX extens... | 3 solana://transaction-memo/c2-server... | 1 Glassworm downloader / installer stage | 1 GlasswormRAT Node.js remote access tool | 2 commercial VPS-hosted direct C2 inf... | 11e / 13r | 2026-05-27 13:04:07 |
gamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
|
MB-0001 | confirmed | 2 6aa9741f8b8629d0398049fa91dc5e7c28f... | 5 hxxps://www.telegram[.]me/s/natural_blood | 3 %APPDATA%\Microsoft\Windows\Start M... | 1 Pteranodon Stage-2 loader | 2 194.67.71.75 | 13e / 13r | 2026-05-27 12:22:36 |
iim.chain.apt.2026.05.006
UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2
|
UAT-8302 | confirmed | — | 2 github[.]com / public dead-drop resolver | — | 1 CloudSorcerer v3 side-loaded DLL triad | 3 www.drivelivelime[.]com | 6e / 7r | 2026-05-26 13:35:13 |
Technique pressure
top observed IIM techniquesActor surface
published chain attributiongodaddy.2026.wordpress-steam-community-deaddrop-js-backdoor
Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control
IIM chain for GoDaddy Security research published on 2026-05-28. The report describes WordPress malware found across roughly 1,980 infected sites since July 2025. The malware uses compromised WordPress plugin/theme PHP files to fetch Steam Community profile comments, extract the commentthread_comment_text content, decode an invisible-Unicode payload with optional AES-256-CTR/PBKDF2/HMAC protection, and inject the decoded URL as frontend JavaScript through wp_enqueue_script using the handle asahi-jquery-min-bundle. The observed decoded payload URL is hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js. In parallel, the same PHP malware exposes a cookie-authenticated server-side backdoor that responds to DEpjndDbNc ping cookies and accepts base64-encoded PHP replacement code through tEcaKKXEsb plus POST parameter new_code, allowing remote modification of plugin and theme files. The initial WordPress compromise vector is not confirmed by GoDaddy, so this chain starts at the confirmed infected PHP/plugin/theme layer and records initial access as a limitation rather than inventing a vulnerable plugin, stolen credential, or supply-chain path.
seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2
Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2
IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.
glassworm.2026.developer-supply-chain.multi-resolver-c2
Glassworm developer supply-chain infection to redundant multi-resolver C2
IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.
gamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.
iim.chain.apt.2026.05.006
UAT-8302 CloudSorcerer v3 dead-drop resolver to drivelivelime / msiidentity C2
CloudSorcerer v3 lane where malware retrieves C2 information from public web services and then connects to decoded UAT-8302 C2 domains published by Talos.