Malwarebox public intelligence surface
IIM Feeds for adversary infrastructure chains.
Published IIM chains from MANTIS, shaped for humans first: browse actor infrastructure, compare role flows, open evidence, and export the canonical JSON when you need the raw model.
IIM Atlas Board
Role matrix of the published feed
| chain | actor | conf | entry | redirector | staging | payload | c2 | edges | published |
|---|---|---|---|---|---|---|---|---|---|
enki.2026.kimsuky-webex-httpSpy-jsonping
Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2
|
APT43 | confirmed | 1 https://conference.birdriver.org/ | 1 C:\ProgramData\meeting.html decoy r... | 5 https://download.birdriver.org/down... | 3 engine.dat / spyInster.dll | 1 http://hdrgdrfes.chickenkiller.com/... | 11e / 13r | 2026-05-31 19:22:26 |
withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2
GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool
|
GREYVIBE | likely | 1 office.cip.ua.gov@gmail.com / offic... | 1 Google Drive-hosted malicious RAR a... | 3 bd3f35b91bf83427e953d4cf531a0ee4b5e... | 2 PhantomRelayV2 watchdog / RzUpdateM... | 6 nycpartnersenterprise.com | 13e / 13r | 2026-05-31 19:17:43 |
k7.2026.rvtools-signed-msi-python-rat
Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool
|
unknown | confirmed | 1 Signed fake RVTools MSI installer /... | — | 4 Binary.MyScript.vbs embedded MSI cu... | 3 Portable WinPython support layer / ... | 5 45.61.136.94 | 13e / 15r | 2026-05-30 11:07:46 |
seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2
Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2
|
unknown | confirmed | 3 spearphishing ZIP attachment contai... | — | 7 data\empty.vbs | 2 UnityPlayer.dll / RUSTCLOAK Rust loader | 2 note1ggbbhggdwa1.blob.core.windows.net | 14e / 20r | 2026-05-29 20:05:53 |
seqrite.2026.operation-xenofiscal-sidecopy-xenorat
Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2
|
SideCopy | confirmed | 2 spearphishing ZIP archive targeting... | — | 13 mshta.exe LOLBIN execution of remot... | 3 ayhui.vmxx reconstructed shellcode ... | 1 185.235.137.106 | 19e / 18r | 2026-05-29 20:01:27 |
malwarebytes.2026.fake-chatgpt-dual-platform-stealers
Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer
|
unknown | confirmed | 2 search ads / SEO / YouTube / Discor... | — | 1 trojanized Ledger/Trezor wallet rep... | 6 Chat_GPT.exe | 4 http://188.137.246.189/laravel.php?... | 13e / 14r | 2026-05-28 19:45:38 |
securelist.2026.pirated-content-silentcryptominer-rat
Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure
|
unknown | confirmed | 2 pirated movie/TV streaming and digi... | 4 {domain}.strangled.net | 3 urush1bar4.online | 9 malicious DLL side-loaded by HLS In... | 8 5d14vnfb.space | 26e / 33r | 2026-05-28 19:43:28 |
ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28
Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2
|
MB-0004 | confirmed | 1 Ukraine-themed CVE-2025-8088 archiv... | — | 3 1070_26782818.pdf | 2 C:\ProgramData\Zhg | 3 https://151.158.1.229:11861/AHH_bY/ | 9e / 11r | 2026-05-28 17:37:25 |
jumpsec.2026.blacktoad-autoit-remcos-network-blackout
BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain
|
BlackToad | confirmed | 1 Thai-language image-based financial... | — | 7 MediaFire-hosted malware download l... | 1 payload.bin / decoded Remcos Pro implant | 7 pmitm.ddns.net | 16e / 25r | 2026-05-28 16:12:38 |
microsoft.2026.poisoned-search-screenconnect-gpu-miner
Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2
|
unknown | confirmed | 1 attacker-controlled lookalike utili... | — | 5 direct-download.gleeze.com | 7 autorun.dll variant set loaded by l... | 7 directdownload.icu | 20e / 23r | 2026-05-27 17:02:04 |
Technique pressure
top observed IIM techniquesActor surface
published chain attributionenki.2026.kimsuky-webex-httpSpy-jsonping
Kimsuky fake Webex page to fix-camera JSE, multi-stage HttpSpy variant, and chickenkiller C2
ENKI-attributed Kimsuky lane. Fake Webex page based on a legitimate meeting schedule downloads an ALZip archive containing fix-camera.jse, which drops meeting.html and mTSTCv8.mdxm/loadDll.dll. The downloader retrieves engine.dat/spyInster.dll, which installs cacheMon.dat/spyLoader.dll and the final HttpSpy main module. HttpSpy uses http://hdrgdrfes.chickenkiller.com/index.php as primary C2
withsecure.2026.greyvibe-phantommail-teasoup-phantomrelayv2
GREYVIBE PhantomMail: Ukrainian spear-phishing RAR to TEASOUP JS loader and PhantomRelayV2 C2 pool
WithSecure-attributed GREYVIBE PhantomMail lane. April 2026 spear-phishing likely impersonated Ukraine’s State Service of Special Communications and Information Protection, delivered Google Drive-hosted RAR archives, ran TEASOUP-obfuscated JavaScript loaders, and initiated PhantomRelayV2. Confirmed PhantomRelayV2 artifacts and C2 domains are taken from the original WithSecureLabs IOC repository. Exact URL/hash/C2 pairings that are not published are marked likely.
k7.2026.rvtools-signed-msi-python-rat
Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool
IIM chain for K7 Labs research published on 2026-05-28. The campaign masquerades as a signed RVTools installer for VMware administrators. The MSI contains an embedded VBScript custom action named Binary.MyScript.vbs, which decodes and launches hidden PowerShell. PowerShell downloads a roughly 33 MB archive from Dropbox, creates winp.zip in %AppData%, extracts a portable WinPython support layer, and launches collector.py and Pmanager.py with staged timing. collector.py fingerprints the host and Active Directory context into configA.json. Pmanager.py reads that local staging file, establishes persistence, encrypts and compresses outgoing data, and beacons every 300 seconds to a five-IP hardcoded C2 pool with automatic failover. The exact Dropbox URL was not published by K7, so the Dropbox node is modeled as a confirmed trusted-site staging class rather than an invented concrete URL.
seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2
Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2
IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.
seqrite.2026.operation-xenofiscal-sidecopy-xenorat
Operation XENOFISCAL: Pashto LNK to compromised Afghan delivery host and XenoRAT C2
IIM chain for Seqrite Operation XENOFISCAL, published 2026-05-29. The campaign targets Afghanistan Ministry of Finance provincial officials with a spearphishing ZIP containing a Pashto malicious LNK. The LNK launches mshta.exe and retrieves obfuscated HTA/JavaScript from compromised Afghan education domain abimj.edu.af/index.php. The script reconstructs an in-memory .NET loader, downloads an Afghan Ministry of Finance decoy PDF, persists zuidrt.hta, retrieves additional payload blobs from /institute/10/ or /institute/7/, reconstructs shellcode, loads XenoRAT, and connects to hardcoded C2 IP 185.235.137.106 hosted on AS59711/HZ Hosting infrastructure.
malwarebytes.2026.fake-chatgpt-dual-platform-stealers
Fake ChatGPT download site delivering Windows credential-stealing loader and macOS Odyssey Stealer
IIM chain for Malwarebytes Labs research published on 2026-05-28. The campaign impersonates OpenAI's ChatGPT download page at openew.app and serves platform-specific malware: Windows users receive Chat_GPT.exe, an Inno Setup/Electron-based loader that launches EApp.exe and communicates with 188.137.246.189 via a laravel.php endpoint; macOS users receive ChatGpt.dmg containing Odyssey Stealer, an AMOS fork that steals browser data, Telegram sessions, cryptocurrency-wallet data, and attempts wallet-app replacement. Malwarebytes publishes one landing domain, two sample hashes, and three network indicators. Where the article does not map 192.253.248.181 or 172.94.9.250 to a specific macOS server role, relations are explicitly marked tentative rather than inferred as confirmed.
securelist.2026.pirated-content-silentcryptominer-rat
Pirated content fake player update to SilentCryptoMiner fork, RAT C2 and miner config infrastructure
IIM chain for Kaspersky Securelist research published on 2026-05-28. The campaign distributes a miner/RAT stack via illegal streaming and digital-library sites using a fake video-player plugin update. The public chain models the confirmed delivery path: pirated-content lure, ZIP download from urush1bar4.online, HLS Installer.874.exe plus malicious DLL side-loading, decrypted main module based on a modified SilentCryptoMiner fork, injected RAT/watchdog/miner components, date-derived RAT C2 domains, weekly miner configuration retrieval domains resolving to 107.172.212.235, and UnamWebPanel control-panel addresses. Host execution details such as ROP, reflective loading, Defender exclusions, UAC prompting, and process injection are retained as evidence/context but are not over-modeled as IIM infrastructure techniques.
ukraine-cve-2025-8088-court-lure-startup-lnk-zhg-c2-2026-05-28
Ukraine court-summons lure via CVE-2025-8088 archive, Startup LNK, cv4 PowerShell loader, Zhg in-memory payload and HTTPS C2
Ukraine-focused chain reconstructed from submitted artifacts and static analysis. The archive container itself was not submitted, so archive-level hash and original email metadata remain unavailable. The member names and dropped artifacts are consistent with CVE-2025-8088/WinRAR path traversal and ADS-style archive extraction semantics: a visible Ukrainian court-summons PDF is shown while hidden/traversal members place a Startup LNK and ProgramData payload components. The LNK starts hidden PowerShell through cmd.exe and executes C:\\ProgramData\\cv4. cv4 reads C:\\ProgramData\\Zhg, decodes it by subtracting 0x2b from each byte, maps the decoded flat x64 image in memory, starts it at offset 0x197a0, and uses an HTTPS status endpoint. The decoded Zhg stage contains libcurl/SChannel behavior and an RC4-like encrypted Stage-2 C2 URL.
jumpsec.2026.blacktoad-autoit-remcos-network-blackout
BlackToad phishing to AutoIt crypter and Remcos Dynamic-DNS C2 chain
IIM chain for JUMPSEC DART research published on 2026-05-27. The campaign starts with a Thai-language, image-based financial payment-slip phishing email containing a MediaFire link, delivers a masqueraded .pdf.scr WinRAR SFX executable, launches a VBS loader, runs a renamed AutoIt3 interpreter with an obfuscated AutoIt script and INI-like configuration, decodes a substitution-hex encoded Remcos payload, and connects to three Dynamic-DNS C2 domains on port 50240. The report highlights a network-blackout execution window using ipconfig /release before AutoIt execution and ipconfig /renew afterwards; this behavior is kept as evidence/context because it is host execution logic rather than a separate network infrastructure node. The actual MediaFire URL and original recipient details were not published and are therefore not invented.
microsoft.2026.poisoned-search-screenconnect-gpu-miner
Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2
IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime