Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
gamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
|
MB-0001 | confirmed | 2 6aa9741f8b8629d0398049fa91dc5e7c28f... | 5 hxxps://www.telegram[.]me/s/natural_blood | 3 %APPDATA%\Microsoft\Windows\Start M... | 1 Pteranodon Stage-2 loader | 2 194.67.71.75 | 13e / 13r | 2026-05-27 12:22:36 |
silver-fox-abcdoor-2026-04-30
Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain
|
Silver Fox | likely | 1 tax-themed phishing email attachmen... | 1 attacker-controlled external downlo... | 5 tax-related malicious archive | 3 ValleyRAT Login module / Winos 4.0 payload | 1 207.56.138.28 | 11e / 11r | 2026-05-27 12:03:50 |
iim.chain.apt.2026.05.004
UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2
|
UAC-0057 | likely | 1 PDF lure with active link to ZIP archive | — | 2 ZIP archive containing OYSTERFRESH ... | 3 OYSTERBLUES registry-staged payload | 1 Cloudflare-fronted .icu C2 domain cluster | 7e / 7r | 2026-05-26 13:31:49 |
frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike
FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike
|
UAC-0057 | confirmed | 1 53_7.03.2026_R.pdf | — | 3 53_7.03.2026_R.rar | 3 Update.js / PicassoLoader | 2 hxxps://book-happy.needbinding[.]ic... | 9e / 8r | 2026-05-26 13:26:34 |
uac-0247-ukrvarta-fpv-dopomoga-2026-03
UAC-0247 - UKRVARTA FPV
|
MB-0006 | confirmed | 2 UkrVarta humanitarian-aid themed ZI... | 1 search-ms:query=lnk&crumb=location:... | 4 ukrvarta.online | 6 https://ukrvarta.online/dopomoga/up... | 1 109.237.97.4 | 14e / 13r | 2026-05-20 17:04:53 |
uac-0184-pseudo-png-passmark-2026-05
UAC-0184: Pseudo PNG Passmark
|
MB-0005 | confirmed | 2 Ukraine-themed LNK lure | — | 8 169.40.135.35 | 3 filter.bin decoded LZNT1 payload bundle | 2 224.0.0.255 | 15e / 20r | 2026-05-19 15:15:42 |
Page 1 of 1. Showing 1–6 of 6 matching chains, 18 total.
Technique pressure
top observed IIM techniquesActor surface
published chain attributiongamaredon.2025.zero-click-rar.pteranodon
Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure
IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.
entry
→
entry
→
staging
→
staging
→
payload
→
redirector
→
redirector
IIM-T002
IIM-T003
IIM-T006
IIM-T007
IIM-T008
IIM-T010
IIM-T011
IIM-T013
+4
Open chain analysis↗
silver-fox-abcdoor-2026-04-30
Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain
Observed Silver Fox campaign using tax-themed delivery to distribute a customized RustSL loader, ValleyRAT, custom ValleyRAT modules and the ABCDoor Python backdoor. The chain models only infrastructure and delivery composition aspects; endpoint persistence and execution details are kept in ATT&CK annotations or notes.
entry
→
redirector
→
staging
→
staging
→
staging
→
payload
→
c2
IIM-T019
IIM-T024
Open chain analysis↗
iim.chain.apt.2026.05.004
UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2
CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.
entry
→
staging
→
staging
→
payload
→
payload
→
c2
→
payload
IIM-T001
IIM-T010
IIM-T011
IIM-T019
IIM-T024
Open chain analysis↗
frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike
FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike
ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.
entry
→
staging
→
staging
→
staging
→
payload
→
c2
→
payload
IIM-T001
IIM-T010
IIM-T011
IIM-T019
IIM-T020
IIM-T021
IIM-T024
Open chain analysis↗
uac-0247-ukrvarta-fpv-dopomoga-2026-03
UAC-0247 - UKRVARTA FPV
Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.
entry
→
entry
→
staging
→
staging
→
staging
→
payload
→
payload
IIM-T002
IIM-T015
IIM-T019
IIM-T024
IIM-T026
Open chain analysis↗
uac-0184-pseudo-png-passmark-2026-05
UAC-0184: Pseudo PNG Passmark
Observed UAC-0184 chain from gated HTA and ZIP delivery into Plane9-based sideloading, encoded local blobs, pseudo-PNG IDAT staging, LZNT1 unpacking and a signed VSLauncher / PassMark network-capable payload bundle. The internal controller or C2 element remains tentative because no static C2 endpoint was present in the analyzed artifacts.
entry
→
entry
→
staging
→
staging
→
staging
→
staging
→
staging
IIM-T019
IIM-T020
IIM-T021
IIM-T024
IIM-T025
Open chain analysis↗