KRAKEN
Continuous observation substrate for actor-centric infrastructure tracking, enrichment and graph context. Hosts Mantis natively.
Malwarebox is an independent research initiative from Germany and Europe, building the frameworks, methodology and tooling that modern threat intelligence is missing. Nine components, one analytical loop, partially open, designed to outlast any single campaign.
The field produces more indicators, reports and feeds than ever. The missing part is not more data. The missing part is structure: how campaigns are composed, how infrastructure is routed, how actors make recurring decisions, who is really behind it, and how defenders should prioritize what matters.
Models, schemas, query concepts, attribution logic and defensive methodology can be open. Continuous operational evidence, decision substrates, malware catalogs and dimension weights remain controlled where needed.
A clean observe → analyze → structure → attribute → prioritize model: KRAKEN produces evidence and runs Mantis for malware, IIM and Modus interpret different layers, SOLBIT fuses six dimensions into an attribution verdict, MB-RM selects the actors that matter, and ACDP decides what to do first.
Cheap signals can be planted. The deeper the signal, the harder it is to fake, so SOLBIT trusts the abyss over the surface, and reads a contradiction between the two as a false flag.
MoreConvergence among deep dimensions is strong evidence. Convergence among surface dimensions alone is exactly what a competent false flag produces on purpose.
The false-flag detector, split the verdict and compare the two halves.
Continuous observation substrate for actor-centric infrastructure tracking, enrichment and graph context. Hosts Mantis natively.
Malware analysis, natively integrated in KRAKEN. Static and dynamic analysis with sample-to-actor attribution in one continuous flow.
Infrastructure Intelligence Model. Structural grammar for adversary infrastructure roles, relations, chains and patterns.
Query language for adversary infrastructure. Lets analysts express structural searches across IIM data.
Fast lookup across IIM infrastructure data. Pivot from an indicator, role or pattern to the chains and actors it belongs to.
Analyst workspace for building, validating, visualizing and exporting IIM chains and patterns.
Adversary fingerprinting via decision-pattern profiles. Captures stable choices beyond tooling and infrastructure rotation.
Six-dimension Deception-Aware attribution model: Strategic, Operational, Linguistic, Behavioral, Infrastructure, Technical. Resistance-weighted.
Malwarebox Relevance Mapper. Maps organization-specific exposure to actor relevance and analyst-readable rationale.
Actor-Centric Defensive Prioritization. Converts actor relevance and intelligence context into ranked defensive controls.
Public analyst layer for actor overviews, Malwarebox actor IDs, malware references, IIM feeds and defensive articles.
Research output that feeds the ecosystem and documents campaigns, infrastructure patterns and defensive thinking.
Collects and relates infrastructure, campaigns, sightings and graph context.
Static and dynamic malware analysis; links each sample directly to a tracked actor.
Infrastructure becomes chains and patterns; stable adversary choices become decision profiles.
Query, inspect, validate and export the structured model and publish it as sanitized IIM Feeds.
Fuses six resistance-weighted dimensions into one verdict and flags false flags via surface-vs-deep divergence.
Ranks which attributed actors matter for a specific defender, and why.
Ranks the defensive controls that matter first against the relevant actors.
KRAKEN.evidence[] → Mantis.analysis { static · dynamic · sample→actor } → IIM.chain { roles, relations, techniques } → IIM.pattern { reusable structure } → Modus.profile { decision distributions } → SOLBIT.verdict { 6 dims · resistance-weighted · false-flag } → MB-RM.ranking { actor relevance } → ACDP.controls { prioritized defense } → KRAKEN.collection_tasks { next cycle }
Indicators rotate. Actors persist. Infrastructure, decisions and priorities connect back to the operator view.
Assumptions, weights, models and interpretations must be visible, contestable and reproducible.
Cheap signals can be planted. SOLBIT weighs evidence by how hard it is to fake, and treats a surface-vs-deep contradiction as a false-flag signal.
Frameworks, schemas, methodology and reference tooling can be public. Sensitive substrates stay controlled.
Built with a strong European sovereignty angle and designed to reduce dependency on closed external CTI ecosystems.
Designed to complement ATT&CK, STIX, NIST, Sigma, YARA, Suricata and existing CTI workflows, not replace them.
The end goal is not another feed. The end goal is better defensive decisions and clearer analyst workflows.
Useful for analysts, readers and partners without exposing operationally harmful details.
Operational material stays private or partner-gated when publication would help adversaries adapt.