Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

Explore published chains Tracked actors Open feed API

confirmed13

likely5

tentative0

needs review6

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view

chain	actor	conf	entry	redirector	staging	payload	c2	edges	published
`webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane` Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane	Webworm	confirmed	—	—	1 wamanharipethe.s3.ap-south-1.amazon...	2 GraphWorm payload	2 graph.microsoft.com / Microsoft Graph API	5e / 4r	2026-05-26 14:05:46
`iim.chain.apt.2026.05.009` Webworm GitHub staging to EchoCreep Discord C2	Webworm	confirmed	—	1 64[.]176[.]85[.]158	1 github[.]com/anjsdgasdf/WordPress	1 EchoCreep DLL	1 discord[.]com / Discord API	4e / 3r	2026-05-26 14:05:20
`iim.chain.apt.2026.05.005` UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2	UAT-8302	confirmed	1 benign executable used for DLL side-loading	—	—	1 NetDraft / FringePorch backdoor	2 graph.microsoft.com / Microsoft Graph API	4e / 3r	2026-05-26 13:33:29

Showing 1–3 of 3 matching chains

Page 1 of 1. Showing 1–3 of 3 matching chains, 18 total.

Technique pressure

top observed IIM techniques

IIM-T024

9 IIM-T011

8 IIM-T002

7 IIM-T006

7 IIM-T019

6 IIM-T010

5 IIM-T021

4 IIM-T013

3 IIM-T020

3 IIM-T001

3 IIM-T018

3 IIM-T008

Actor surface

published chain attribution

UAT-83024 UAC-00573 unknown2 Webworm2 Glassworm1 MB-00011 UAT-100271 UAT-103621 Silver Fox1 MB-00061 MB-00051

webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane

Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane

confirmed

ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.

payload → c2 → c2 → payload → staging

Webworm 5 entities 4 relations 2026-05-26 14:05:46

IIM-T002 IIM-T006 IIM-T018

Open chain analysis↗

iim.chain.apt.2026.05.009

Webworm GitHub staging to EchoCreep Discord C2

confirmed

ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.

staging → payload → c2 → redirector

Webworm 4 entities 3 relations 2026-05-26 14:05:20

IIM-T002 IIM-T006 IIM-T018 IIM-T026

Open chain analysis↗

iim.chain.apt.2026.05.005

UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2

confirmed

Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.

entry → payload → c2 → c2

UAT-8302 4 entities 3 relations 2026-05-26 13:33:29

IIM-T006 IIM-T018

Open chain analysis↗