RedPacket Security[INTERLOCK] - Ransomware Victim: Goodwill - https://www.redpacketsecurity.com/interlock-ransomware-victim-goodwill/
#interlock #dark_web #data_breach #OSINT #ransomware #threatintel #tor
RansomLook
The Threat CodexInterLock: full tooling teardown of a ransomware operation
#Interlock #NodeSnake
https://www.derp.ca/research/interlock-tooling-teardown/
#Interlock #NodeSnake
https://www.derp.ca/research/interlock-tooling-teardown/
ESET Research#ESETresearch detected a recent intrusion at a University of Warsaw consistent with #Interlock ransomware gang. Thanks to early warning from our experts and the university's swift cooperation, the attack was disrupted before encryptors could be deployed. https://www.eset.com/pl/about/newsroom/press-releases/news/to-analitycy-eset-zidentyfikowali-atak-na-uniwersytet-warszawski/
According to our investigation, the artifacts and infrastructure overlap with Interlock activity. We observed the use of #NodeSnake RAT and Interlock RAT, both of which are referenced in CISA’s #StopRansomware advisory. https://www.cisa.gov/sites/default/files/2025-07/aa25-203a-stopransomware-interlock-072225.pdf
The intrusion is a continuation of the threat actor’s campaign described in the April 2025 QorumCyber report, using an updated toolset. Our telemetry shows the actor targeted the education vertical in additional regions as well. https://www.quorumcyber.com/wp-content/uploads/2025/04/20250416-Higher-Education-Sector-RAT-MP.pdf
New in this campaign, we saw an updated, more-heavily-obfuscated NodeSnake RAT build. The updated version leverages WebSocket instead of the previously used HTTP. C&C infrastructure remains proxied mostly over Cloudflare’s *.trycloudflare[.]com infrastructure.
NodeSnake RAT was used to deliver its own updates and additional payloads including the legitimate tool AzCopy (for exfiltration), a PowerShell SystemBC proxy and a ConnectWise MSI installer (RMM).
Interlock RAT (adobe.log) is executed via a scheduled task Microsoft\Windows\Defrag\ScheduledDefrg, masquerading as a defragmentation task.
IoCs:
Interlock RAT
CEB69DFDD768AA08B86F1D5628BD3A38C1FE8C1F
Interlock RAT C&Cs:
172.86.68[.]64
23.227.203[.]123
77.42.75[.]119
NodeSnake C&Cs:
deserve-coordinated-fairy-tier.trycloudflare[.]com
survey-tennessee-blind-corners.trycloudflare[.]com
dvd-diagnostic-oakland-signals.trycloudflare[.]com
practitioners-ons-boom-utc.trycloudflare[.]com
donnellykilbakk[.]cc
PowerShell SystemBC C&C:
91.99.97[.]247
ConnectWise C&C:
partyglacierhip[.]top
According to our investigation, the artifacts and infrastructure overlap with Interlock activity. We observed the use of #NodeSnake RAT and Interlock RAT, both of which are referenced in CISA’s #StopRansomware advisory. https://www.cisa.gov/sites/default/files/2025-07/aa25-203a-stopransomware-interlock-072225.pdf
The intrusion is a continuation of the threat actor’s campaign described in the April 2025 QorumCyber report, using an updated toolset. Our telemetry shows the actor targeted the education vertical in additional regions as well. https://www.quorumcyber.com/wp-content/uploads/2025/04/20250416-Higher-Education-Sector-RAT-MP.pdf
New in this campaign, we saw an updated, more-heavily-obfuscated NodeSnake RAT build. The updated version leverages WebSocket instead of the previously used HTTP. C&C infrastructure remains proxied mostly over Cloudflare’s *.trycloudflare[.]com infrastructure.
NodeSnake RAT was used to deliver its own updates and additional payloads including the legitimate tool AzCopy (for exfiltration), a PowerShell SystemBC proxy and a ConnectWise MSI installer (RMM).
Interlock RAT (adobe.log) is executed via a scheduled task Microsoft\Windows\Defrag\ScheduledDefrg, masquerading as a defragmentation task.
IoCs:
Interlock RAT
CEB69DFDD768AA08B86F1D5628BD3A38C1FE8C1F
Interlock RAT C&Cs:
172.86.68[.]64
23.227.203[.]123
77.42.75[.]119
NodeSnake C&Cs:
deserve-coordinated-fairy-tier.trycloudflare[.]com
survey-tennessee-blind-corners.trycloudflare[.]com
dvd-diagnostic-oakland-signals.trycloudflare[.]com
practitioners-ons-boom-utc.trycloudflare[.]com
donnellykilbakk[.]cc
PowerShell SystemBC C&C:
91.99.97[.]247
ConnectWise C&C:
partyglacierhip[.]top
The DFIR ReportThe Flow: A fake "Verify You Are Human" prompt leads to Node.js C2 (interlock RAT), followed by hands-on-keyboard activity where they use vol.exe from \AppData\Local\Temp\ to harvest credentials.
Defender Tip: Monitor for vol.exe or python.exe interacting with memory dump files in user temp folders. If you see Hashdump in your logs and it isn't your IR team... you have a live intrusion.
Want more info? Get in touch!
#CyberSecurity #Ransomware #BlueTeam #DFIR #Interlock #Infosec
securityaffairs#Interlock group exploiting the #CISCO FMC flaw CVE-2026-20131 36 days before disclosure
https://securityaffairs.com/189636/malware/interlock-group-exploiting-the-cisco-fmc-flaw-cve-2026-20131-36-days-before-disclosure.html
#securityaffairs #hacking #malware
https://securityaffairs.com/189636/malware/interlock-group-exploiting-the-cisco-fmc-flaw-cve-2026-20131-36-days-before-disclosure.html
#securityaffairs #hacking #malware
[INTERLOCK] - Ransomware Victim: Delta Manufacturing - https://www.redpacketsecurity.com/interlock-ransomware-victim-delta-manufacturing/
#interlock #dark_web #data_breach #OSINT #ransomware #threatintel #tor
New post from #Interlock : Delta Manufacturing
More at : https://www.ransomlook.io/group/Interlock #Ransomware
More at : https://www.ransomlook.io/group/Interlock #Ransomware
The New Oil#AI-generated #Slopoly #malware used in #Interlock #ransomware attack
[INTERLOCK] - Ransomware Victim: Elliott-Lewis - https://www.redpacketsecurity.com/interlock-ransomware-victim-elliott-lewis/
#interlock #dark_web #data_breach #OSINT #ransomware #threatintel #tor
