The Interlock ransomware group, first identified in September 2024, has gained attention in the cybersecurity community for conducting targeted double-extortion operations against organizations across North America and Europe.
Unlike traditional Ransomware-as-a-Service (RaaS) groups, no evidence points to Interlock recruiting affiliates or operating a partner model, and the group maintains a dedicated Data Leak Site (DLS) titled “Worldwide Secrets Blog” for publicizing victim data and facilitating ransom negotiations.
Multi-Stage Attack Chain Using Legitimate Websites
Interlock employs a multi-stage intrusion methodology that begins with the compromise of legitimate websites, repurposed as distribution platforms for fake browser update installers ostensibly for Google Chrome and Microsoft Edge.
Unsuspecting users downloading these updaters are tricked into launching PyInstaller files that execute Trojanized PowerShell scripts alongside legitimate software.
These scripts initiate a persistent backdoor, gathering extensive system information and communicating with remote command-and-control (C2) servers via obfuscated HTTP requests.
The PowerShell backdoor operates with failover mechanisms, cycling through a list of both domain and direct IP-based C2 endpoints.
Initial data gathering includes system details, user privilege levels, running services and processes, network information, and drive mapping.
According to the Report, this information is exfiltrated after being XOR-encrypted and compressed, with the C2 able to respond by deploying additional payloads either as executables or DLLs executed in stealth.
In early 2025, the group integrated the so-called “ClickFix” technique, leveraging advanced social engineering.
Malicious web pages presented phony access issues or CAPTCHA challenges, guiding users to paste attacker-controlled PowerShell commands into the Windows Run dialog bypassing automated defenses.
This method deployed either the aforementioned PyInstaller fake updaters or obfuscated PowerShell loaders, sometimes using legitimate Node.js binaries to execute secondary payloads.
A notable operational evolution includes the brief shift in initial lures from browser updates to security software updaters, indicating ongoing experimentation with infection vectors.
Payloads Include Custom RATs, Credential Stealers, and Ransomware
While early C2 activity often results in shutdown commands, intercepted payload analysis confirms deployment of credential-stealing malware (LummaStealer, BerserkStealer), keyloggers, and a proprietary Remote Access Trojan (Interlock RAT).
The latter communicates via raw TCP sockets over port 443, uses custom encryption, and is capable of file download/upload, command execution, persistence management, and lateral movement.
Interlock deploys ransomware variants targeting both Windows and, previously, Linux systems.
The Windows payload uses AES encryption (via LibTomCrypt), appends unique extensions (.interlock, .!NT3R10CK), and leaves ransom notes emphasizing legal repercussions for data leak non-compliance.
After encryption, self-deletion routines and scheduled tasks are initiated for ongoing system disruption.
Interlock’s campaigns demonstrate continuous development and tactical adaptation, leveraging both technical and psychological manipulation to bypass enterprise defenses.
Their selective, opportunistic targeting and preference for stealth over scale signal a persistent, evolving threat.
Security teams are urged to review published IoCs, monitor for related network activity, and educate users about the dangers of unsolicited software updates and deceptive website prompts.
Active defense and comprehensive monitoring remain critical against such multi-stage attacks.
Indicators of Compromise (IoCs)
Comprehensive IoC data has been compiled, highlighting the breadth and sophistication of Interlock’s infrastructure:
| Category | Details |
|---|---|
| Malicious Payload Hashes | – 576d07cc8919c68914bf08663e0afd00d9f9fbf5263b5cccbded5d373905a296 (Fake Updater)– 1105a3050e6c842fb9411d4f21fd6fdb119861c15f7743e244180a4e64b19b83 (Interlock RAT) |
| C2 Domains and IPs | – trycloudflare[.]com (various subdomains)– 216.245.184[.]181– 212.237.217[.]182 |
| Compromised URLs | – http://topsportracing[.]com/wp-25– https://apple-online[.]shop/ChromeSetup.exe |
| ClickFix-Enabled Pages | – https://advanceipscaner[.]com/additional-check.html– Similar domains serving malicious scripts |
| YARA Rules | – Available for: • Interlock’s PowerShell backdoor • Crypter artifacts • Loader behavior patterns |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
