Malwarebox Ecosystem
01/ 13
navigate  ·  F fullscreen

Malwarebox.
A research bench for European
threat intelligence.

An open ecosystem for structural observation of adversary activity - where what's observed is shared, what's shared is queried, and what's queried becomes detection.

Composition
Kraken · IIM · Modus · IIMQL · ACDP · YaraBase · Sandbox
Operating Principle
observe structure fingerprint share
Framing
European · GDPR-compatible
research bench · observation substrate
01the problem

Artifacts decay.
Structure survives.

What the field tracks today

IOCs, hashes, domains

A C2 domain gets burned, rotated, replaced. By the time an IOC lands in a feed, the adversary has already moved. Half-life measured in hours.

hours
What Malwarebox tracks

Structural shapes & actor fingerprints

The pattern behind the artifact - entry → staging → payload → C2 - survives rotation. The actor's choices behind the pattern - registrar, hosting tier, op-hours - survive even longer. Same actor, same shape, same decisions, different values.

years
02the principle

One continuous loop.

Seven components, one substrate. Every observation flows through the same cycle - and every cycle feeds the next.

observekraken
structureiim
fingerprintmodus
queryiimql
detectyarabase
validatesandbox
IIM describes how infrastructure is built  ·  Modus describes what the actor chose  ·  ACDP turns both into priority
And everything comes back into Kraken - the backbone that holds it all.
03backbone

Kraken.

research workbench vetting-based access

The graph where every artifact, every session, every observation, every match eventually lands. Persistent across time, structured by design.

Model
Graph of typed artifacts and relations. Domains, URLs, files, certificates, ASNs as nodes. Downloads, drops, resolves, connects as edges.
Time
Nothing is deleted when rotated. Old infrastructure becomes inactive, not invisible.
Sessions
Analyst work units. Pin samples, compare, cluster, attribute. Every action logged.
Not a product
Closed today because research maturity needs private space. Not paywalled.
04infrastructure side · share · structure · feed

IIM.

v1.1 · open apache 2.0 STIX-compatible

The structural vocabulary for what the actor built. Five roles, 26 techniques, typed relations. JSON-schema-validated. Federated as versioned pattern feeds.

Chains
An observed operation as a sequence of positions - entry, staging, payload, c2, redirector.
Patterns
Value-free shapes extracted from chains. Match actor behavior even when every value rotates.
Feeds
Published collections of patterns, versioned, signed. Subscribe to others, publish your own.
Round-trips STIX
Lossless conversion in both directions. Flows directly into OpenCTI, MISP, TheHive.
entry
lure.rar
staging
loader.hta
drops
payload · high severity
pteranodon.exe
connects
c2 · dyndns · rotation
c2.duckdns.org
chain gamaredon-2026-01-13 pattern MB-F-0023
05actor side · fingerprint · attribute

Modus.

closed research artifact v0.2 · spec draft

The twin layer to IIM. Where IIM tracks how infrastructure is built, Modus tracks the choices the actor makes when they build it. The fingerprint that survives even when the infrastructure rotates.

Evidence
Raw, immutable observation. "WHOIS record at 2026-01-12 14:22" - what was seen, not what it means.
Decisions
Semantic interpretations. "Actor chose registrar X, given alternatives Y, Z." Decisions are versioned; Evidence is not.
Profiles
Per-actor aggregates of decisions across registrar, TLD, op-hours, registration-to-activation delay, hosting tier, rotation cadence.
Federated trust
Evidence and Decisions signed independently. Trust the partner's collection but not their interpretation - or vice versa. Per-query trust slices.
actor profile
Gamaredon
profile · v1.3
47 decisions
registrar regru.ru · godaddy
tld pref .ru · .info · .top
op-hours 06:00–14:00 UTC
reg→active median 3.2h
hosting budget VPS · autonomic
rotation rapid · daily cadence
MB-actor-0023 signed · confirmed
infrastructureactor   two views, one operation
06query the corpus

IIMQL.

v1.0 · open stdlib-only embed anywhere

When you have thousands of chains, patterns, and actor profiles - yours plus federated feeds - the interesting questions are structural. IIMQL turns them into one-liners.

Grammar
Cypher-style graph patterns for structure. SQL-style filters for attributes. Both in one query.
Three modes
CLI on local chains · embedded in Kraken as pivot surface · library in third-party tools.
Stable grammar
v1.0 queries still run on v1.5. Extensions without breakage.
# every c2 using fast-flux or dga MATCH position WHERE role = "c2" AND (techniques HAS "IIM-T007" OR techniques HAS "IIM-T009") RETURN chain.actor_id, entity.value
MB-0001    c2.duckdns.org
MB-0002    telemetry-edge.net
MB-0008    qz3kdme9wpx.com
07prioritize · the decision layer

ACDP.

v1.0 · open paper + calculator consumes IIM + Modus

The "what to work on next" layer that sits on top of everything else. Actor-centric defensive prioritization - transparent, contestable, driven by the actor profile Modus produces.

Inputs
Modus profiles for actor intent · IIM patterns for capability · observed targeting · real impact · relevance to your org.
Output
A single priority score per actor - with the calculation visible at every weight.
Optional
Not every org needs explicit priority math. For those that do, ACDP is one answer, not the answer.
Sandworm4.70
APT283.45
MuddyWater2.65
APT361.80
scored against Modus profiles · worked examples in the ACDP paper
08detect · federate

YaraBase.

planned yara-native

Federated YARA. Rules versioned, signed, distributed. When a rule fires, the sample can come back for analysis - closing the loop between detection and observation.

Federation
Organizations maintain their own namespace. Subscribe to peers. Mirrors and cryptographic signatures first-class.
Versioning
Rules as versioned objects - lineage, author, rationale, deprecation path.
Sample-request loop
Rule fires on endpoint → sample returned to central analysis → new observation in Kraken.
authorWrite rule · versioned + signed
publishPush to YaraBase namespace
deployFederation → subscribed endpoints
matchRule fires · sample request issued
feedbackSample → Sandbox → Kraken observation
09dynamic analysis · GDPR

Malwarebox
Sandbox.

planned EU-hosted GDPR

A trustworthy European sandbox. On-prem for organizations that need air-gap. Public EU instance for those that need data sovereignty. No current major sandbox meets both bars.

The gap
US-hosted sandboxes (Hybrid-Analysis, Any.Run, VirusTotal, Intezer) raise Cloud Act and sovereignty concerns for EU regulated entities.
Two profiles
On-prem → samples never leave your environment. Public EU → explicit GDPR terms, no sample resale, transparent retention.
Feeds Kraken
Every detonation produces structured observations - URLs, behavior chain, YARA hits. Not an endpoint, an ingest event.
Provider
EU-hosted
GDPR-core
Hybrid-Analysis
Any.Run
VirusTotal
Joe Sandbox
Intezer
Malwarebox
10static analysis

Static Analysis.

v0.3 format-agnostic python stdlib

A sample in, structured observation out. Every format the researcher actually sees - not just PEs, not just executables.

Detects
Format via magic bytes + content sniffing. Never trusts the extension.
Extracts
Identity · hashes · structure · strings · symbols · indicators · capabilities. One JSON, Kraken-ready.
Capabilities
14 ATT&CK rules inferred from imports + strings. Transparent 0-100 verdict with visible breakdown.
SUPPORTED FORMATS
PEDLL · EXE
ELF32 · 64
Mach-Odarwin
OfficeDOCX · XLSX
LegacyOLE · VBA
ArchiveRAR · ZIP · 7z
ScriptHTA · PS1
ScriptVBS · JS · BAT
OtherLNK · PDF · raw
11the full picture

Two vocabularies. One substrate.

IIM describes infrastructure · Modus describes the actor · everything else is built around them - and everything flows back to Kraken.

Kraken
backbone · observation graph
IIM
infrastructure side
Structural vocabulary. Federated feeds.
v1.1
Modus
actor side · fingerprint
Decision-pattern profiling. Federated.
research
IIMQL
query language
Cypher + SQL across IIM & Modus.
v1.0
ACDP
priority layer
Transparent actor scoring.
v1.0
YaraBase
detection federation
Rule sharing + sample loop.
planned
Malwarebox Sandbox
dynamic analysis · EU
GDPR-compliant detonation.
planned
Static Analysis
sample extractor
Format-agnostic JSON output.
v0.3
12where we fit

Complement, not compete.

Malwarebox fills the researcher-workbench layer that sits before the intel store. Everything else stays as it is.

Capability
OpenCTI
OpenAEV
MISP
Malwarebox
Intel storage & correlation
Adversary simulation / validation
IOC federation
Structural observation bench
Structural pattern vocabulary
Adversary fingerprinting (decision-pattern)
EU-hosted dynamic analysis
primary
partial
out-of-scope