Malwarebox is an independent European malware analysis and threat intelligence project focused on tracking real-world attack infrastructure, malware delivery chains, and adversary behavior.

The blog publishes technical research on malware campaigns, infrastructure rotations, payload delivery, obfuscation techniques, and threat actor activity. Instead of only listing indicators, Malwarebox tries to explain how an attack is built, how the infrastructure is connected, and what patterns can be reused for detection and analysis.

Malwarebox also includes experimental tools and models such as Kraken, ACDP, IIM, and IIMQL, which are designed to support structured infrastructure intelligence, adversary tracking and deeper malware campaign analysis.

European CTI Ecosystem

Malwarebox is the stack.

A growing ecosystem for malware research, adversary infrastructure intelligence, actor-centric prioritization, and practical analyst tooling. Not another IOC pile. More like the map for how the mess is actually built.

Research, models, tools, and infrastructure intelligence moving as one system.

The public entry points for the Malwarebox ecosystem. Websites, whitepapers, models, workbench tooling, and GitHub repositories in one animated overview.

Platform ↗

Malwarebox

Main public entry point for the Malwarebox ecosystem, research direction, tools, models, and CTI work.

https://malwarebox.eu

GitHub ↗

Malwarebox GitHub

Public repositories for tools, schemas, workbench code, models, and research artifacts.

https://github.com/MalwareboxEU

KRAKEN ↗

KRAKEN Website

Actor-centric CTI platform for tracking adversaries, infrastructure, campaigns, and operational relationships.

https://kraken.malwarebox.eu

Whitepaper ↗

KRAKEN Whitepaper

The concept, reasoning, and architecture behind the KRAKEN approach to actor-centric intelligence.

https://kraken.malwarebox.eu/whitepaper

IIM ↗

IIM Website

Infrastructure Intelligence Model. A structured grammar for describing adversary infrastructure chains and repeatable patterns between short-lived IOCs and endpoint behavior frameworks.

https://iim.malwarebox.eu

GitHub ↗

IIM GitHub

The public model repository for IIM specifications, schemas, examples, and reference material.

https://github.com/MalwareboxEU/IIM

Workbench ↗

IIM Workbench Web

Web workspace for building, validating, visualizing, and exporting IIM chains and patterns.

https://workbench.iim.malwarebox.eu/

GitHub ↗

IIM Workbench GitHub

Source code for the local and web-based workbench around the Infrastructure Intelligence Model.

https://github.com/MalwareboxEU/IIM-Workbench

IIMQL ↗

IIMQL Website

The query language for adversary infrastructure. Built to search infrastructure chains, roles, relations, techniques, and patterns without pretending that flat IOC search is enough.

https://iimql.malwarebox.eu

GitHub ↗

IIMQL GitHub

Public repository for the IIMQL language, examples, documentation, and implementation work.

https://github.com/MalwareboxEU/IIMQL

ACDP ↗

ACDP Website

Actor-Centric Defensive Prioritization. Defensive focus based on adversary relevance, not dashboard theater.

https://acdp.malwarebox.eu

Whitepaper ↗

ACDP Whitepaper

The paper behind ACDP and its approach to prioritizing defensive work around relevant threat actors.

github.com/MalwareboxEU/ACDP/blob/main/acdp-paper.pdf

Malwarebox Related Articles

• IIMQL – The Query Language for Adversary Infrastructure (4/7)May 6, 2026
• IIM – The Grammar of Adversary Infrastructure (3/7)May 3, 2026
• Following Gamaredons Infrastructure Rotations using Kraken (1/7)March 23, 2026
• Actor-Centric Defensive Prioritization – ACDP (2/7)January 31, 2026