Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

community intake

Submit sourced IIM chains for review

local storage, validator, anti-spam cap and contribution board

Analysts can paste a chain directly into the public surface, pass validation and store it as a dated local JSON file for manual Malwarebox review.

source link required 1000/day global cap duplicate filter captcha local
confirmed32
likely7
tentative0
needs review12

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view
chain actor conf entryredirectorstagingpayloadc2 edges published
godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control unknown confirmed 1 compromised WordPress plugin/theme ... 4 hxxps://steamcommunity[.]com/profil... 3 commentthread_comment_text invisibl... 3 hxxps://hello-mywordl[.]info/js/lod... 2 <compromised WordPress site> POST /... 13e / 17r 2026-05-30 11:26:11
seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2 Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2 unknown confirmed 3 spearphishing ZIP attachment contai... 7 data\empty.vbs 2 UnityPlayer.dll / RUSTCLOAK Rust loader 2 note1ggbbhggdwa1.blob.core.windows.net 14e / 20r 2026-05-29 20:05:53
ox.2026.malware-slop-npm-github-exfil Malware-Slop npm package to GitHub Contents API exfiltration chain unknown confirmed 1 https://www.npmjs.com/package/mouse... 1 github.com 3 /mnt/user-data 1 npm postinstall script disguised as... 2 https://api.github.com/repos/<actor... 8e / 7r 2026-05-28 13:32:24
webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane Webworm confirmed 1 wamanharipethe.s3.ap-south-1.amazon... 2 GraphWorm payload 2 graph.microsoft.com / Microsoft Graph API 5e / 4r 2026-05-26 14:05:46
iim.chain.apt.2026.05.009 Webworm GitHub staging to EchoCreep Discord C2 Webworm confirmed 1 64[.]176[.]85[.]158 1 github[.]com/anjsdgasdf/WordPress 1 EchoCreep DLL 1 discord[.]com / Discord API 4e / 3r 2026-05-26 14:05:20
iim.chain.apt.2026.05.005 UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2 UAT-8302 confirmed 1 benign executable used for DLL side-loading 1 NetDraft / FringePorch backdoor 2 graph.microsoft.com / Microsoft Graph API 4e / 3r 2026-05-26 13:33:29
Showing 16 of 6 matching chains
Reset
Page 1 of 1. Showing 16 of 6 matching chains, 39 total.

godaddy.2026.wordpress-steam-community-deaddrop-js-backdoor

Compromised WordPress malware abusing Steam Community profile comments as dead-drop resolver for JavaScript injection and cookie-authenticated backdoor control

confirmed

IIM chain for GoDaddy Security research published on 2026-05-28. The report describes WordPress malware found across roughly 1,980 infected sites since July 2025. The malware uses compromised WordPress plugin/theme PHP files to fetch Steam Community profile comments, extract the commentthread_comment_text content, decode an invisible-Unicode payload with optional AES-256-CTR/PBKDF2/HMAC protection, and inject the decoded URL as frontend JavaScript through wp_enqueue_script using the handle asahi-jquery-min-bundle. The observed decoded payload URL is hxxps://hello-mywordl[.]info/js/lodash[.]core[.]min[.]js. In parallel, the same PHP malware exposes a cookie-authenticated server-side backdoor that responds to DEpjndDbNc ping cookies and accepts base64-encoded PHP replacement code through tEcaKKXEsb plus POST parameter new_code, allowing remote modification of plugin and theme files. The initial WordPress compromise vector is not confirmed by GoDaddy, so this chain starts at the confirmed infected PHP/plugin/theme layer and records initial access as a limitation rather than inventing a vulnerable plugin, stolen credential, or supply-chain path.

entry redirector redirector redirector redirector staging staging
unknown 13 entities 17 relations 2026-05-30 11:26:11
IIM-T004 IIM-T006 IIM-T013 IIM-T018
Open chain analysis

seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2

Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2

confirmed

IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.

entry entry entry staging staging staging staging
unknown 14 entities 20 relations 2026-05-29 20:05:53
IIM-T002 IIM-T006 IIM-T013 IIM-T018 IIM-T024
Open chain analysis

ox.2026.malware-slop-npm-github-exfil

Malware-Slop npm package to GitHub Contents API exfiltration chain

confirmed

IIM chain for the OX Security report published on 2026-05-27 about the malicious npm package mouse5212-super-formatter. The package presents itself as an internal archive deployment sync utility, but during post-installation it authenticates to GitHub using either a victim environment token or a hardcoded fallback token, checks or creates an actor-controlled repository, recursively walks the local /mnt/user-data directory, and uploads collected files through the GitHub Contents API. OX observed around seven active exfiltration sessions in the actor repository before takedown and reported 676 downloads at time of publication. The exact actor account, repository name, hardcoded token value, and package tarball hashes were not published in the text; those are intentionally not invented here.

entry payload staging redirector c2 c2 staging
unknown 8 entities 7 relations 2026-05-28 13:32:24
IIM-T006 IIM-T018
Open chain analysis

webworm-graphworm-wormfrp-cloud-service-c2-and-exfiltration-lane

Webworm GraphWorm / WormFrp cloud-service C2 and exfiltration lane

confirmed

ESET-documented Webworm infrastructure lane using Microsoft Graph / OneDrive for GraphWorm command traffic and Amazon S3 infrastructure for WormFrp-related reconnaissance/exfiltration.

payload c2 c2 payload staging
Webworm 5 entities 4 relations 2026-05-26 14:05:46
IIM-T002 IIM-T006 IIM-T018
Open chain analysis

iim.chain.apt.2026.05.009

Webworm GitHub staging to EchoCreep Discord C2

confirmed

ESET-documented Webworm lane targeting European government entities: malware stages from GitHub repository content and EchoCreep uses Discord API traffic as its C2 channel.

staging payload c2 redirector
Webworm 4 entities 3 relations 2026-05-26 14:05:20
IIM-T002 IIM-T006 IIM-T018 IIM-T026
Open chain analysis

iim.chain.apt.2026.05.005

UAT-8302 NetDraft / FringePorch side-load to Microsoft Graph C2

confirmed

Cisco Talos-documented UAT-8302 chain in which side-loaded NetDraft/FringePorch uses Microsoft Graph / OneDrive as a C2 channel.

entry payload c2 c2
UAT-8302 4 entities 3 relations 2026-05-26 13:33:29
IIM-T006 IIM-T018
Open chain analysis