Malwarebox public intelligence surface

IIM Feeds for adversary infrastructure chains.

Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.

Explore published chains Tracked actors Open feed API

confirmed13

likely5

tentative0

needs review6

IIM Atlas Board

Role matrix of the published feed

10 chains per page, each row opens the full chain view

chain	actor	conf	entry	redirector	staging	payload	c2	edges	published
`microsoft.2026.poisoned-search-screenconnect-gpu-miner` Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2	unknown	confirmed	1 attacker-controlled lookalike utili...	—	5 direct-download.gleeze.com	7 autorun.dll variant set loaded by l...	7 directdownload.icu	20e / 23r	2026-05-27 17:02:04
`gamaredon.2025.zero-click-rar.pteranodon` Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure	MB-0001	confirmed	2 6aa9741f8b8629d0398049fa91dc5e7c28f...	5 hxxps://www.telegram[.]me/s/natural_blood	3 %APPDATA%\Microsoft\Windows\Start M...	1 Pteranodon Stage-2 loader	2 194.67.71.75	13e / 13r	2026-05-27 12:22:36
`uat-10362-lucidrook-taiwan-2026-04-08` UAT-10362 LucidRook LNK archive chain against Taiwanese organizations	UAT-10362	likely	1 spear-phishing email targeting Taiw...	1 shortened URL leading to password-p...	5 password-protected encrypted RAR ar...	2 LucidRook DLL stager written as Dis...	3 1.34.253.131	12e / 13r	2026-05-27 12:07:54
`powmix-czech-workforce-2026-04-16` PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce	unknown	likely	1 malicious ZIP archive with complian...	—	3 Windows shortcut file inside ZIP	1 PowMix PowerShell botnet payload	3 herokuapp.com based C2 endpoint	8e / 8r	2026-05-27 12:05:45
`silver-fox-abcdoor-2026-04-30` Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain	Silver Fox	likely	1 tax-themed phishing email attachmen...	1 attacker-controlled external downlo...	5 tax-related malicious archive	3 ValleyRAT Login module / Winos 4.0 payload	1 207.56.138.28	11e / 11r	2026-05-27 12:03:50
`iim.chain.apt.2026.05.004` UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2	UAC-0057	likely	1 PDF lure with active link to ZIP archive	—	2 ZIP archive containing OYSTERFRESH ...	3 OYSTERBLUES registry-staged payload	1 Cloudflare-fronted .icu C2 domain cluster	7e / 7r	2026-05-26 13:31:49
`frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike` FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike	UAC-0057	confirmed	1 53_7.03.2026_R.pdf	—	3 53_7.03.2026_R.rar	3 Update.js / PicassoLoader	2 hxxps://book-happy.needbinding[.]ic...	9e / 8r	2026-05-26 13:26:34
`uac-0247-ukrvarta-fpv-dopomoga-2026-03` UAC-0247 - UKRVARTA FPV	MB-0006	confirmed	2 UkrVarta humanitarian-aid themed ZI...	1 search-ms:query=lnk&crumb=location:...	4 ukrvarta.online	6 https://ukrvarta.online/dopomoga/up...	1 109.237.97.4	14e / 13r	2026-05-20 17:04:53
`uac-0184-pseudo-png-passmark-2026-05` UAC-0184: Pseudo PNG Passmark	MB-0005	confirmed	2 Ukraine-themed LNK lure	—	8 169.40.135.35	3 filter.bin decoded LZNT1 payload bundle	2 224.0.0.255	15e / 20r	2026-05-19 15:15:42

Showing 1–9 of 9 matching chains

Page 1 of 1. Showing 1–9 of 9 matching chains, 18 total.

Technique pressure

top observed IIM techniques

IIM-T024

9 IIM-T011

8 IIM-T002

7 IIM-T006

7 IIM-T019

6 IIM-T010

5 IIM-T021

4 IIM-T013

3 IIM-T020

3 IIM-T001

3 IIM-T018

3 IIM-T008

Actor surface

published chain attribution

UAT-83024 UAC-00573 unknown2 Webworm2 Glassworm1 MB-00011 UAT-100271 UAT-103621 Silver Fox1 MB-00061 MB-00051

microsoft.2026.poisoned-search-screenconnect-gpu-miner

Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2

confirmed

IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime

entry → staging → staging → staging → staging → staging → payload

unknown 20 entities 23 relations 2026-05-27 17:02:04

IIM-T008 IIM-T011 IIM-T012 IIM-T021 IIM-T024

Open chain analysis↗

gamaredon.2025.zero-click-rar.pteranodon

Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure

confirmed

IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.

entry → entry → staging → staging → payload → redirector → redirector

MB-0001 13 entities 13 relations 2026-05-27 12:22:36

IIM-T002 IIM-T003 IIM-T006 IIM-T007 IIM-T008 IIM-T010 IIM-T011 IIM-T013 +4

Open chain analysis↗

uat-10362-lucidrook-taiwan-2026-04-08

UAT-10362 LucidRook LNK archive chain against Taiwanese organizations

likely

Cisco Talos reported UAT-10362 spear-phishing Taiwanese NGOs and suspected universities with shortened URLs leading to password-protected archives. The modeled chain follows the LNK-based path: archive delivery, hidden nested folder staging, LucidPawn dropper, LucidRook stager, compromised FTP infrastructure used for payload retrieval and exfiltration, and a DNS beaconing domain observed in the IOC set

entry → redirector → staging → staging → staging → staging → payload

UAT-10362 12 entities 13 relations 2026-05-27 12:07:54

IIM-T004 IIM-T016 IIM-T024

Open chain analysis↗

powmix-czech-workforce-2026-04-16

PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce

likely

Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.

entry → staging → staging → staging → payload → c2 → c2

unknown 8 entities 8 relations 2026-05-27 12:05:45

IIM-T002 IIM-T011 IIM-T024

Open chain analysis↗

silver-fox-abcdoor-2026-04-30

Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain

likely

Observed Silver Fox campaign using tax-themed delivery to distribute a customized RustSL loader, ValleyRAT, custom ValleyRAT modules and the ABCDoor Python backdoor. The chain models only infrastructure and delivery composition aspects; endpoint persistence and execution details are kept in ATT&CK annotations or notes.

entry → redirector → staging → staging → staging → payload → c2

Silver Fox 11 entities 11 relations 2026-05-27 12:03:50

IIM-T019 IIM-T024

Open chain analysis↗

iim.chain.apt.2026.05.004

UAC-0057 Ghostwriter OYSTERFRESH to OYSTERSHUCK and OYSTERBLUES C2

likely

CERT-UA/SOC Prime-documented Ukraine campaign: compromised-email lure with PDF link leads to ZIP/JavaScript OYSTERFRESH, registry-staged OYSTERBLUES, OYSTERSHUCK download, and HTTP POST C2 over Cloudflare-fronted .icu infrastructure.

entry → staging → staging → payload → payload → c2 → payload

UAC-0057 7 entities 7 relations 2026-05-26 13:31:49

IIM-T001 IIM-T010 IIM-T011 IIM-T019 IIM-T024

Open chain analysis↗

frostyneighbor-ukraine-pdf-lure-to-picassoloader-and-cobalt-strike

FrostyNeighbor Ukraine PDF lure to PicassoLoader and Cobalt Strike

confirmed

ESET-documented Ukraine-targeting FrostyNeighbor chain: malicious PDF lure triggers geofenced RAR/JavaScript delivery, retrieves PicassoLoader tasking from a Cloudflare-fronted .icu host, then leads to Cobalt Strike infrastructure.

entry → staging → staging → staging → payload → c2 → payload

UAC-0057 9 entities 8 relations 2026-05-26 13:26:34

IIM-T001 IIM-T010 IIM-T011 IIM-T019 IIM-T020 IIM-T021 IIM-T024

Open chain analysis↗

uac-0247-ukrvarta-fpv-dopomoga-2026-03

UAC-0247 - UKRVARTA FPV

confirmed

Campaign chain for a Ukraine-focused lure targeting FPV/UAV-related audiences. The flow starts with a humanitarian-aid themed archive/LNK and HTA delivery layer on ukrvarta.online, moves through external JavaScript and updater.txt payload staging, persists as OneDriveUpdater, injects a decoded shellcode stage into RuntimeBroker.exe, unpacks EncryptedReverseShell.exe, and communicates with 109.237.97.4:8443.

entry → entry → staging → staging → staging → payload → payload

MB-0006 14 entities 13 relations 2026-05-20 17:04:53

IIM-T002 IIM-T015 IIM-T019 IIM-T024 IIM-T026

Open chain analysis↗

uac-0184-pseudo-png-passmark-2026-05

UAC-0184: Pseudo PNG Passmark

confirmed

Observed UAC-0184 chain from gated HTA and ZIP delivery into Plane9-based sideloading, encoded local blobs, pseudo-PNG IDAT staging, LZNT1 unpacking and a signed VSLauncher / PassMark network-capable payload bundle. The internal controller or C2 element remains tentative because no static C2 endpoint was present in the analyzed artifacts.

entry → entry → staging → staging → staging → staging → staging

MB-0005 15 entities 20 relations 2026-05-19 15:15:42

IIM-T019 IIM-T020 IIM-T021 IIM-T024 IIM-T025

Open chain analysis↗