Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor
Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control
|
unknown | confirmed | 1 compromised WordPress plugin/theme ... | 4 hxxps://steamcommunity[.]com/profil... | 3 commentthread_comment_text invisibl... | 3 hxxps://hello-mywordl[.]info/js/lod... | 2 <compromised WordPress site> POST /... | 13e / 17r | 2026-05-30 11:26:11 |
seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2
Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2
|
unknown | confirmed | 3 spearphishing ZIP attachment contai... | — | 7 data\empty.vbs | 2 UnityPlayer.dll / RUSTCLOAK Rust loader | 2 note1ggbbhggdwa1.blob.core.windows.net | 14e / 20r | 2026-05-29 20:05:53 |
ox.2026.malware-slop-npm-github-exfil
Malware-Slop npm package to GitHub Contents API exfiltration chain
|
unknown | confirmed | 1 https://www.npmjs.com/package/mouse... | 1 github.com | 3 /mnt/user-data | 1 npm postinstall script disguised as... | 2 https://api.github.com/repos/<actor... | 8e / 7r | 2026-05-28 13:32:24 |
webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane
Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane
|
Webworm | confirmed | — | — | 1 wamanharipethe.s3.ap-south-1.amazon... | 2 GraphWorm payload | 2 graph.microsoft.com / Microsoft Graph API | 5e / 4r | 2026-05-26 14:05:46 |
iim.chain.apt.2026.05.009
Webworm GitHub staging to EchoCreep Discord C2
|
Webworm | confirmed | — | 1 64[.]176[.]85[.]158 | 1 github[.]com/anjsdgasdf/WordPress | 1 EchoCreep DLL | 1 discord[.]com / Discord API | 4e / 3r | 2026-05-26 14:05:20 |
iim.chain.apt.2026.05.005
UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2
|
UAT-8302 | confirmed | 1 benign executable used for DLL side-loading | — | — | 1 NetDraft / FringePorch backdoor | 2 graph.microsoft.com / Microsoft Graph API | 4e / 3r | 2026-05-26 13:33:29 |
Technique pressure
top observed IIM techniquesActor surface
published chain attributiongodaddy.2026.wordpress-steam-community-deaddrop-js-backdoor
Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control
IIM chain for GoDaddy Security research published on 2026-05-28. The report describes WordPress malware found across roughly 1,980 infected sites since July 2025. The malware uses compromised WordPress plugin/theme PHP files to fetch Steam Community profile comments, extract the commentthread_comment_text content, decode an invisible-Unicode payload with optional AES-256-CTR/PBKDF2/HMAC protection, and inject the decoded URL as frontend JavaScript through wp_enqueue_script using the handle asahi-jquery-min-bundle. The observed decoded payload URL is hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js. In parallel, the same PHP malware exposes a cookie-authenticated server-side backdoor that responds to DEpjndDbNc ping cookies and accepts base64-encoded PHP replacement code through tEcaKKXEsb plus POST parameter new_code, allowing remote modification of plugin and theme files. The initial WordPress compromise vector is not confirmed by GoDaddy, so this chain starts at the confirmed infected PHP/plugin/theme layer and records initial access as a limitation rather than inventing a vulnerable plugin, stolen credential, or supply-chain path.
seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2
Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2
IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.
ox.2026.malware-slop-npm-github-exfil
Malware-Slop npm package to GitHub Contents API exfiltration chain
IIM chain for the OX Security report published on 2026-05-27 about the malicious npm package mouse5212-super-formatter. The package presents itself as an internal archive deployment sync utility, but during post-installation it authenticates to GitHub using either a victim environment token or a hardcoded fallback token, checks or creates an actor-controlled repository, recursively walks the local /mnt/user-data directory, and uploads collected files through the GitHub Contents API. OX observed around seven active exfiltration sessions in the actor repository before takedown and reported 676 downloads at time of publication. The exact actor account, repository name, hardcoded token value, and package tarball hashes were not published in the text; those are intentionally not invented here.
webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane
Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane
ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.
iim.chain.apt.2026.05.009
Webworm GitHub staging to EchoCreep Discord C2
ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.
iim.chain.apt.2026.05.005
UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2
Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.