Malwarebox is an independent research initiative building the frameworks, methodology and tooling that modern threat intelligence is missing. Three components, one analytical loop, partially open, designed to outlast any single campaign.
The field produces more data than ever - indicators, reports, feeds, detections and less clarity per unit of data than a decade ago. Not because the data is bad. Because the structures to hold it were never built.
Indicators decay within days. Behavioral taxonomies describe endpoints but stay silent on infrastructure. Risk models quantify impact but ignore adversary intent. Between these layers sits the operational reality - how campaigns are actually composed, delivered, routed and defended against.
Malwarebox exists to build what is missing in this space: structured models, explicit methodology and continuous observation, all released openly, designed to compose with existing standards rather than replace them.
Malwarebox publicly holds three independent but complementary projects - a platform, a framework and a methodology. Each functions on its own. Together they form a closed analytical loop: observation produces structure, structure produces priority and priority drives further observation.
An actor-centric threat intelligence platform that continuously tracks adversary infrastructure as an evolving graph. Collects, normalizes and relates signals into a living intelligence structure rather than a static list of indicators.
A structural grammar for modeling adversary infrastructure - roles, relations, techniques, chains, patterns. Sits between IOCs and behavioral frameworks like ATT&CK, filling the gap neither addresses.
A prioritization methodology that translates adversary intent into ranked defensive actions. Sits one level above ATT&CK and NIST, using their outputs as inputs and producing explicit, actor-specific defensive priorities.
Kraken without IIM is a graph of disconnected observations. IIM without Kraken is a grammar nobody uses. ACDP without both is scoring numbers pulled from air. Together they form a single analytical loop where each component produces exactly what the next one needs.
Three components, three flows between them, one coherent way to go from raw infrastructure signals to justified defensive decisions.
Six principles that run through every component. They are not promises. They are constraints we accept, because without them the work collapses into the same noise it tries to replace.
Everything we build currently organizes around adversaries, not artifacts. Infrastructure, patterns, priorities - all of it connects back to the operators behind the activity. The artifact view is tactical and short-lived. The actor view outlives any single campaign.
Every model, weighting and scoring decision is documented and contestable. If a judgment can't be written down, it can't be reviewed and if it can't be reviewed, it degrades silently. We choose the discomfort of explicit decisions over the comfort of implicit ones.
IIM, ACDP, the schemas, the reference implementations - everything the community needs to reason, review and build on top of - is released openly. Kraken is the working environment behind it, and for now it stays closed. Access is granted through vetting. Research that shapes public frameworks has to mature somewhere private first, that somewhere is Kraken.
Europe has historically depended on US commercial feeds and fragmented bilateral exchanges for threat intelligence. That dependence is a strategic weakness. Malwarebox builds open, federated, sovereign alternatives.
This is the standard We use across my own ecosystem. I'm sharing it because it might be useful to others working on the same problems. Things that become useful to many people tend to do so slowly, and I'd rather get it right than get it noticed.
We do not intend to replace ATT&CK, STIX, NIST, or any mature framework. Every component of Malwarebox is designed to compose with existing standards and fill specific gaps.
Malwarebox publishes continuous threat intelligence research through the Synaptic Security Blog - deep analyses of active adversaries, infrastructure patterns and defensive approaches. The research informs the frameworks. The frameworks sharpen the research.
The current focus is on adversaries targeting Europe and especially Ukraine - state-aligned operators whose campaigns rotate infrastructure faster than most feeds can keep up with. Gamaredon is the clearest example: a group that has been active for over a decade, shifts infrastructure on a near-daily basis, and keeps returning to the same structural patterns underneath the rotation. Understanding how they operate as a system - rather than through isolated samples - is what most of the recent work has been about.
New analysis is published approximately every one to two weeks. The approach stays the same across actors: treat them as systems, describe the infrastructure structurally, and assume the specific IOCs will be gone by the time anyone reads the post.
Visit the BlogMalwarebox is research infrastructure, released as it is built. Use what is useful, critique what is weak, contribute what is missing. The work is better when more people touch it.