KRAKEN
Continuous observation substrate for actor-centric infrastructure tracking, enrichment and graph context.
observegraphcollection
Independent Threat Intelligence Research · Europe / Germany
Open frameworks for the infrastructure, decisions and defensive priority of adversary work.
Malwarebox is an independent research initiative from Germany/Europe 🇩🇪🇪🇺 building the frameworks, methodology and tooling that modern threat intelligence is missing. Seven components, one analytical loop, partially open, designed to outlast any single campaign.
01 · ObserveKRAKEN
02 · StructureIIM
03 · QueryIIMQL
04 · BuildWorkbench
05 · FingerprintModus
06 · RelevanceMB-RM
07 · PrioritizeACDP
Threat intelligence has a shape problem.
The field produces more indicators, reports and feeds than ever. The missing part is not more data. The missing part is structure: how campaigns are composed, how infrastructure is routed, how actors make recurring decisions, and how defenders should prioritize what matters.
Actor-centricExplicit-firstComposableEuropean
Public frameworks, controlled substrate.
Models, schemas, query concepts and defensive methodology can be open. Continuous operational evidence, private actor notes and decision substrates remain controlled where needed.
Open where usefulClosed where harmfulFederation-ready
Interactive architecture
How the components lock together
A clean split → operationalize → prioritize model: KRAKEN produces evidence, IIM and Modus interpret different layers, IIMQL, Search, Workbench and Feeds make the model operational and shareable, MB-RM selects the actors that matter, and ACDP decides what to do first.
Click a component
left side = flow
right side = handoff
Esc resets
Evidence substrate
Operationalize the model
IIM + Modus → actor relevance
IIM drives structural query & search
Workbench & Feeds make IIM usable
MB-RM turns context into actor relevance
Defensive prioritization
Collection refinement
Components
Seven components, one coherent operating model
IIM
Infrastructure Intelligence Model. Structural grammar for adversary infrastructure roles, relations, chains and patterns.
roleschainspatterns
IIMQL
Query language for adversary infrastructure. Lets analysts express structural searches across IIM data.
querymatchpivot
IIM Search
Fast lookup across IIM infrastructure data. Pivot from an indicator, role or pattern to the chains and actors it belongs to.
lookuppivotdiscover
IIM Feeds
Sanitized, consumable IIM feeds. Structured chains and patterns published as safe, machine-readable intelligence for downstream tooling.
feedssanitizedconsume
IIM Workbench
Analyst workspace for building, validating, visualizing and exporting IIM chains and patterns.
visualizevalidateexport
Modus
Adversary fingerprinting via decision-pattern profiles. Captures stable choices beyond tooling and infrastructure rotation.
decisionsprofilesfederation
MB-RM
Malwarebox Relevance Mapper. Maps organization-specific exposure to actor relevance and analyst-readable rationale.
signalsrankingrationale
ACDP
Actor-Centric Defensive Prioritization. Converts actor relevance and intelligence context into ranked defensive controls.
ADVIRRCCDDT
Threat Actor Profiles
Public analyst layer for actor overviews, Malwarebox actor IDs, malware references, IIM feeds and defensive articles.
actorsmalwarereferences
Research Blog
Research output that feeds the ecosystem and documents campaigns, infrastructure patterns and defensive thinking.
articleswriteupsevidence
Operational flow
From raw signal to justified defensive action
The flow
1
KRAKEN observes
Collects and relates infrastructure, campaigns, sightings and graph context.
2
IIM structures
Turns infrastructure into roles, relations, chains, techniques and reusable patterns.
3
Modus fingerprints
Models stable adversary choices through versioned decision events and actor profiles.
4
IIMQL, Search and Workbench operationalize
Query, look up, inspect, validate and export the structured model — and publish it as sanitized IIM Feeds.
5
MB-RM maps relevance
Ranks which actors matter for a specific defender and why.
6
ACDP prioritizes
Ranks the defensive controls that matter first against the relevant actors.
Output object chain
KRAKEN.evidence[] → IIM.chain { roles, relations, techniques } → IIM.pattern { reusable structure } → IIMQL.result { matched chains } → IIM Search.hit { indicator → chain } → Workbench.validation { analyst reviewed } → IIM Feeds.published { sanitized intel } → Modus.profile { decision distributions } → MB-RM.ranking { actor relevance } → ACDP.controls { prioritized defense } → KRAKEN.collection_tasks { next cycle }
Principles
How Malwarebox is built
Actor-centric
Indicators rotate. Actors persist. Infrastructure, decisions and priorities connect back to the operator view.
Explicit-first
Assumptions, weights, models and interpretations must be visible, contestable and reproducible.
Open where it matters
Frameworks, schemas, methodology and reference tooling can be public. Sensitive substrates stay controlled.
European
Built with a strong European sovereignty angle and designed to reduce dependency on closed external CTI ecosystems.
Composable
Designed to complement ATT&CK, STIX, NIST, Sigma, YARA, Suricata and existing CTI workflows, not replace them.
Defender-oriented
The end goal is not another feed. The end goal is better defensive decisions and clearer analyst workflows.
Substrate model
Public frameworks, internal depth
Public layer
Useful for analysts, readers and partners without exposing operationally harmful details.
IIM / IIMQL / ACDPopen repos
IIM Searchpublic lookup
IIM Feedssanitized patterns
Threat Actor Profilespublic overview
Research Blogpublic articles
Controlled layer
Operational material stays private or partner-gated when publication would help adversaries adapt.
KRAKEN Evidence Graphcontrolled
Modus Decision Eventsclosed substrate
Internal Actor Notestrusted users
Collection Requirementsoperational
Links