Mastodawn

InterLock: full tooling teardown of a ransomware operation
#Interlock #NodeSnake
https://www.derp.ca/research/interlock-tooling-teardown/

InterLock: full tooling teardown of a ransomware operation

Static analysis of 15 InterLock samples: ScreenConnect delivery, NodeSnake implants in three languages, a shared crypter, and dual-platform ransomware.

Derp

ESET Research Mar 24

#ESETresearch detected a recent intrusion at a University of Warsaw consistent with #Interlock ransomware gang. Thanks to early warning from our experts and the university's swift cooperation, the attack was disrupted before encryptors could be deployed. https://www.eset.com/pl/about/newsroom/press-releases/news/to-analitycy-eset-zidentyfikowali-atak-na-uniwersytet-warszawski/
According to our investigation, the artifacts and infrastructure overlap with Interlock activity. We observed the use of #NodeSnake RAT and Interlock RAT, both of which are referenced in CISA’s #StopRansomware advisory. https://www.cisa.gov/sites/default/files/2025-07/aa25-203a-stopransomware-interlock-072225.pdf
The intrusion is a continuation of the threat actor’s campaign described in the April 2025 QorumCyber report, using an updated toolset. Our telemetry shows the actor targeted the education vertical in additional regions as well. https://www.quorumcyber.com/wp-content/uploads/2025/04/20250416-Higher-Education-Sector-RAT-MP.pdf
New in this campaign, we saw an updated, more-heavily-obfuscated NodeSnake RAT build. The updated version leverages WebSocket instead of the previously used HTTP. C&C infrastructure remains proxied mostly over Cloudflare’s *.trycloudflare[.]com infrastructure.
NodeSnake RAT was used to deliver its own updates and additional payloads including the legitimate tool AzCopy (for exfiltration), a PowerShell SystemBC proxy and a ConnectWise MSI installer (RMM).
Interlock RAT (adobe.log) is executed via a scheduled task Microsoft\Windows\Defrag\ScheduledDefrg, masquerading as a defragmentation task.
IoCs:
Interlock RAT
CEB69DFDD768AA08B86F1D5628BD3A38C1FE8C1F
Interlock RAT C&Cs:
172.86.68[.]64
23.227.203[.]123
77.42.75[.]119
NodeSnake C&Cs:
deserve-coordinated-fairy-tier.trycloudflare[.]com
survey-tennessee-blind-corners.trycloudflare[.]com
dvd-diagnostic-oakland-signals.trycloudflare[.]com
practitioners-ons-boom-utc.trycloudflare[.]com
donnellykilbakk[.]cc
PowerShell SystemBC C&C:
91.99.97[.]247
ConnectWise C&C:
partyglacierhip[.]top

hasamba Mar 14

----------------

🔍 Threat Intelligence
===================

Overview

IBM X-Force observed Hive0163 deploying a PowerShell backdoor called Slopoly during a ransomware intrusion in early 2026. Researchers characterize Slopoly as AI-assisted or likely LLM-generated based on its structure and extensive commented code. The actor used Slopoly to maintain persistent access for over a week while deploying additional tooling and final ransomware payloads.

Technical findings
• Slopoly: A PowerShell-based C2 client that collects system data, sends heartbeat beacons to a remote server, executes commands via cmd.exe, and establishes persistence through a scheduled task. The code comments and structure strongly suggest AI assistance in development.
• NodeSnake: Identified as the first-stage component in a larger C2 framework used by Hive0163; observed across multiple languages and platforms (PowerShell, PHP, C/C++, Java, JavaScript) and used to download follow-on payloads.
• Windows Interlock ransomware: A 64-bit PE deployed via the JunkFiction loader, supporting arguments for directory/file targeting, self-deletion, scheduled task execution, file release, and external session key storage. Encryption uses per-file AES-GCM with RSA-protected session keys and leaves FIRST_READ_ME.txt as the ransom note. The ransomware leverages the Restart Manager API to stop processes and uses an embedded DLL invoked via rundll32.exe for self-deletion.
• Ancillary tools: Observed use of AzCopy and Advanced IP Scanner to expand access and perform lateral movement.

Observed intrusion chain
• 🎣 Initial Access: ClickFix malvertising or broker-assisted access (TA569, TAG-124) that led to a malicious PowerShell command execution.
• 📦 Download: NodeSnake and additional payloads fetched to the compromised host.
• ⚙️ Execution: PowerShell script execution of NodeSnake and loaders such as JunkFiction.
• 🛡️ Persistence: Deployment of Slopoly as a scheduled task providing ongoing C2 heartbeats and remote command execution.
• 🦠 Ransomware Deployment: Final payloads including InterlockRAT capabilities and Windows Interlock ransomware encryption routines.

Conclusions reported

IBM X-Force frames this activity as an example of how advanced LLMs lower the bar for malware development and enable rapid creation of operational tools. The report highlights acceleration of adversarial AI use and anticipates more agentic or AI-integrated malware in future campaigns.

🔹 Slopoly #Hive0163 #InterlockRAT #NodeSnake #WindowsInterlock

🔗 Source: https://securityaffairs.com/189378/malware/ai-assisted-slopoly-malware-powers-hive0163s-ransomware-campaigns.html

AI-assisted Slopoly malware powers Hive0163’s ransomware campaigns

The Hive0163 group used AI-assisted malware called Slopoly to maintain persistent access in ransomware attacks.

Security Affairs

Hackread.com May 31, 2025

NEW - 🚨 Interlock ransomware linked to new NodeSnake RAT variants attack against UK univerities and government agencies.

Read: https://hackread.com/interlock-ransomware-new-nodesnake-rat-in-uk-attacks/

#CyberSecurity #CyberAttack #Interlock #Ransomware #Infosec #NodeSnake

Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks

Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto

The DefendOps Diaries May 28, 2025

UK universities are facing a stealthy threat—a new Remote Access Trojan called NodeSnake is making waves by silently infiltrating networks and exfiltrating prized research. How safe is your data?

https://thedefendopsdiaries.com/nodesnake-rat-a-new-cybersecurity-threat-in-higher-education/

#nodesnake
#cybersecurity
#highereducation
#ransomware
#infosec