MALWAREBOX::ECOSYSTEM
Independent Threat Intelligence Research · Europe / Germany

Open frameworks for the infrastructure, decisions, attribution and defensive priority of adversary work.

Malwarebox is an independent research initiative from Germany and Europe, building the frameworks, methodology and tooling that modern threat intelligence is missing. Nine components, one analytical loop, partially open, designed to outlast any single campaign.

01 · ObserveKRAKEN
02 · Analyze NEWMANTIS
03 · StructureIIM
04 · QueryIIMQL
05 · BuildWorkbench
06 · FingerprintModus
07 · Attribute NEWSOLBIT
08 · RelevanceMB-RM
09 · PrioritizeACDP

Threat intelligence has a shape problem.

The field produces more indicators, reports and feeds than ever. The missing part is not more data. The missing part is structure: how campaigns are composed, how infrastructure is routed, how actors make recurring decisions, who is really behind it, and how defenders should prioritize what matters.

Actor-centricExplicit-firstDeception-awareEuropean

Public frameworks, controlled substrate.

Models, schemas, query concepts, attribution logic and defensive methodology can be open. Continuous operational evidence, decision substrates, malware catalogs and dimension weights remain controlled where needed.

Open where usefulClosed where harmfulFederation-ready
Interactive architecture

How the components lock together

A clean observe → analyze → structure → attribute → prioritize model: KRAKEN produces evidence and runs Mantis for malware, IIM and Modus interpret different layers, SOLBIT fuses six dimensions into an attribution verdict, MB-RM selects the actors that matter, and ACDP decides what to do first.

Click a component updates the inspector tabs filter the loop Esc resets
Evidence substrate
Operationalize the model
IIM · Modus · Mantis → attribution
Attribution → actor relevance
Mantis & IIM & Modus feed the six dimensions
SOLBIT turns evidence into attribution
MB-RM turns context into actor relevance
Defensive prioritization
Collection refinement
SOLBIT · attribution

Six dimensions, weighted by depth

Cheap signals can be planted. The deeper the signal, the harder it is to fake, so SOLBIT trusts the abyss over the surface, and reads a contradiction between the two as a false flag.

More
−0 m
surface
−1500 m −3000 m −4500 m −6000 m
hadal
T
Technical
What is inside the artifact?
substrate · Mantiseasiest to fake
resistance
I
Infrastructure
How is the infrastructure built and reused?
substrate · IIM
resistance
L
Linguistic · hinge
What language & idiolect leak through?
substrate · Lingua (proposed)locale ↕ idiolect
resistance
B
Behavioral
What recurring tradecraft appears?
substrate · Modus
resistance
O
Operational
When & how does it run as a human enterprise?
substrate · Moduspattern-of-life
resistance
S
Strategic
Whose intent does this serve? Cui bono?
substrate · gaphardest to fake
resistance

Manipulation resistance

surfaceabyss

Convergence among deep dimensions is strong evidence. Convergence among surface dimensions alone is exactly what a competent false flag produces on purpose.

Surface vs deep

The false-flag detector, split the verdict and compare the two halves.

surface ↑
surface ↓
deep ↑
corroborated
quiet / clean
deep ↓
false flag
insufficient
Components

Nine components, one coherent operating model

KRAKEN

Continuous observation substrate for actor-centric infrastructure tracking, enrichment and graph context. Hosts Mantis natively.

observegraphcollection

Mantis

Malware analysis, natively integrated in KRAKEN. Static and dynamic analysis with sample-to-actor attribution in one continuous flow.

staticdynamicattribution

IIM

Infrastructure Intelligence Model. Structural grammar for adversary infrastructure roles, relations, chains and patterns.

roleschainspatterns

IIMQL

Query language for adversary infrastructure. Lets analysts express structural searches across IIM data.

querymatchpivot

IIM Search

Fast lookup across IIM infrastructure data. Pivot from an indicator, role or pattern to the chains and actors it belongs to.

lookuppivotdiscover

IIM Workbench

Analyst workspace for building, validating, visualizing and exporting IIM chains and patterns.

visualizevalidateexport

Modus (Unreleased)

Adversary fingerprinting via decision-pattern profiles. Captures stable choices beyond tooling and infrastructure rotation.

decisionsprofilesfederation

SOLBIT

Six-dimension Deception-Aware attribution model: Strategic, Operational, Linguistic, Behavioral, Infrastructure, Technical. Resistance-weighted.

6 dimensionsspoofabilityfalse-flag

MB-RM (Unreleased)

Malwarebox Relevance Mapper. Maps organization-specific exposure to actor relevance and analyst-readable rationale.

signalsrankingrationale

ACDP

Actor-Centric Defensive Prioritization. Converts actor relevance and intelligence context into ranked defensive controls.

ADVIRRCCDDT

Threat Actor Profiles

Public analyst layer for actor overviews, Malwarebox actor IDs, malware references, IIM feeds and defensive articles.

actorsmalwarereferences

Research Blog

Research output that feeds the ecosystem and documents campaigns, infrastructure patterns and defensive thinking.

articleswriteupsevidence
Operational flow

From raw signal to justified defensive action

The flow

1
KRAKEN observes

Collects and relates infrastructure, campaigns, sightings and graph context.

2
Mantis analyzes

Static and dynamic malware analysis; links each sample directly to a tracked actor.

3
IIM structures · Modus fingerprints

Infrastructure becomes chains and patterns; stable adversary choices become decision profiles.

4
IIMQL, Search & Workbench operationalize

Query, inspect, validate and export the structured model and publish it as sanitized IIM Feeds.

5
SOLBIT attributes

Fuses six resistance-weighted dimensions into one verdict and flags false flags via surface-vs-deep divergence.

6
MB-RM maps relevance

Ranks which attributed actors matter for a specific defender, and why.

7
ACDP prioritizes

Ranks the defensive controls that matter first against the relevant actors.

Output object chain

KRAKEN.evidence[]
  → Mantis.analysis { static · dynamic · sample→actor }
  → IIM.chain { roles, relations, techniques }
  → IIM.pattern { reusable structure }
  → Modus.profile { decision distributions }
  → SOLBIT.verdict { 6 dims · resistance-weighted · false-flag }
  → MB-RM.ranking { actor relevance }
  → ACDP.controls { prioritized defense }
  → KRAKEN.collection_tasks { next cycle }
Principles

How Malwarebox is built

Actor-centric

Indicators rotate. Actors persist. Infrastructure, decisions and priorities connect back to the operator view.

Explicit-first

Assumptions, weights, models and interpretations must be visible, contestable and reproducible.

Deception-aware

Cheap signals can be planted. SOLBIT weighs evidence by how hard it is to fake, and treats a surface-vs-deep contradiction as a false-flag signal.

Open where it matters

Frameworks, schemas, methodology and reference tooling can be public. Sensitive substrates stay controlled.

European

Built with a strong European sovereignty angle and designed to reduce dependency on closed external CTI ecosystems.

Composable

Designed to complement ATT&CK, STIX, NIST, Sigma, YARA, Suricata and existing CTI workflows, not replace them.

Defender-oriented

The end goal is not another feed. The end goal is better defensive decisions and clearer analyst workflows.

Substrate model

Public frameworks, internal depth

Public layer

Useful for analysts, readers and partners without exposing operationally harmful details.

IIM / IIMQL / ACDPopen repos
SOLBITmodel + scoring open
IIM Searchpublic lookup IIM Feedssanitized patterns
Threat Actor Profilespublic overview

Controlled layer

Operational material stays private or partner-gated when publication would help adversaries adapt.

KRAKEN Evidence Graphcontrolled
Mantis Malware Catalogcontrolled
Modus Decision Eventsclosed substrate
SOLBIT Weights / Lingua Corporacontrolled
Collection Requirementsoperational