NodeSnake
NodeSnake is a persistent access remote access trojan/backdoor family associated with the financially motivated threat actor Hive0163 and the Interlock ransomware operation. It has been observed in intrusions linked to ClickFix social engineering and was deployed on the networks of multiple U.K. universities. In reported attack chains, victims were tricked into running a PowerShell command that downloaded NodeSnake as an initial-stage implant; NodeSnake then established persistence, executed shell commands, and retrieved and launched additional components including Interlock RAT, with later stages sometimes involving Slopoly and ultimately Interlock ransomware.
The malware exists in multiple implementations, including a 74 KB JavaScript variant for Node.js, Java JAR variants bundling Tyrus and Grizzly, and native C++/PE binaries wrapped in crypter shells. Across these variants, reporting describes a shared command-and-control framework with RC4-encrypted WebSocket communications, a common initialize prefix, and an 8-field host profiling format. NodeSnake uses disposable Cloudflare Tunnel endpoints as WebSocket relays and also falls back to hardcoded C2 IP addresses. The JavaScript implant supports interactive shell access, one-shot command execution, SOCKS5 proxying, file transfer, self-update, self-delete, and operator-controlled sleep/disconnect behavior. The native PE variant adds TCP tunneling, thread execution hijacking, anti-debugging checks, DLL execution via rundll32.exe, and privilege-aware behavior.
Observed infrastructure and indicators directly mentioned in the content include the hardcoded C2 IPs 172.86.68.64, 23.227.203.123, and 77.42.75.119. One report also describes a Node.js-based backdoor variant connecting to C2 via HTTP POST requests. NodeSnake is described as part of a broader Hive0163/Interlock malware ecosystem spanning PowerShell, PHP, C/C++, Java, and JavaScript, supporting Windows and Linux environments and enabling reverse shell access, SOCKS5 tunneling, remote command execution, and delivery of follow-on payloads.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The Interlock ransomware gang has been exploiting a maximum severity remote code execution (RCE) vulnerability in Cisco's Secure Firewall Management Center (FMC) software in zero-day attacks since late January. Cisco patched the security flaw (CVE-2026-20131) on March 4, warning that it could allow unauthenticated attackers to remotely execute arbitrary Java code as root on unpatched devices.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"The Interlock ransomware group has deployed a previously undocumented JavaScript remote access trojan called NodeSnake..."
The attack in itself is said to have leveraged the ClickFix social engineering tactic to trick the victim into running a PowerShell command, which then downloads NodeSnake, a known malware attributed to Hive0163. A first-stage component, NodeSnake, is designed to run shell commands, establish persistence, and retrieve and launch a wider malware framework referred to as Interlock RAT.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesThe Interlock ransomware operation surfaced in September 2024 and has been linked to ClickFix and to malware attacks in which they deployed a remote access trojan called NodeSnake on the networks of multiple U.K. universities.
Initial access is often via ClickFix, malvertising, or brokers like TA569 and TAG-124.
The attack in itself is said to have leveraged the ClickFix social engineering tactic to trick the victim into running a PowerShell command, which then downloads NodeSnake.
Execution
4 techniquesThe Java variant adds two features... The UpdateThread creates a self-deleting scheduled task... Like the Java variant, the PE uses self-deleting scheduled tasks... A daily scheduled task runs the ransomware at 20:00 as SYSTEM.
The attack in itself is said to have leveraged the ClickFix social engineering tactic to trick the victim into running a PowerShell command, which then downloads NodeSnake.
TERMINAL 0xa0 Interactive cmd.exe shell; TERMINAL_COMMAND 0xa1 One-shot cmd.exe /c... output to C:\Users\Public\<random>.txt
Researchers from IBM X-Force observed an intrusion starting with a ClickFix attack that tricked a victim into executing a malicious PowerShell command.
Persistence
2 techniquesThe Java variant adds two features... The UpdateThread creates a self-deleting scheduled task... Like the Java variant, the PE uses self-deleting scheduled tasks... A daily scheduled task runs the ransomware at 20:00 as SYSTEM.
Privilege Escalation
2 techniquesThe Java variant adds two features... The UpdateThread creates a self-deleting scheduled task... Like the Java variant, the PE uses self-deleting scheduled tasks... A daily scheduled task runs the ransomware at 20:00 as SYSTEM.
Stealth
4 techniquesThread execution hijacking : uses SetThreadContext / GetThreadContext to inject into running threads.
DELETE 0x0c fs.rmSync(__filename)... If the counter passes 40, the implant deletes itself... self-deleting scheduled task... --delete (self-delete after encryption)
DLL execution : loads payloads via rundll32.exe ... rundll32.exe %s,run %s
Discovery
2 techniquesOn connection, the implant collects and sends eight fields... OS version via PowerShell systeminfo /FO CSV... hostname... username...
Command and Control
6 techniquesThe PowerShell script functions as a full-fledged backdoor that can beacon a heartbeat message containing system information to a C2 server every 30 seconds, poll for a new command every 50 seconds, execute it via "cmd.exe," and relay the results back to the server.
The implant connects over ws:// and rotates across nine Cloudflare Tunnel domains plus three fallback IP addresses... All three tiers use the same transport protocol... RC4-encrypted WebSocket framing.
Operator commands. The implant supports 12 message types: SOCKS5 0x05 SOCKS5 proxy... The native implant runs a multi-threaded design: SocksThread SOCKS4 proxy handler Socks5Thread SOCKS5 proxy handler
The C2 infrastructure runs through free Cloudflare Tunnel endpoints as disposable WebSocket relays, falling back to hardcoded IPs on hosting providers.
The native variant adds several features not present in the scripted tiers: TCP tunnel relay (TcpTunnel): forwards arbitrary TCP connections through the implant, allowing the operator to reach internal hosts.
FILE_PUT_SOCKS 0x22 Write operator-supplied file... UPDATE 0xe0 Overwrite self, relaunch via process.execPath... WriteFileThread File upload from operator
Exfiltration
1 techniqueFILE_GET_SOCKS 0x21 Stream local file to operator
IOCs tracked for this family
12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
WebSocket-based persistent backdoor implemented in JavaScript, Java, and native C++. It uses RC4-encrypted message framing, Cloudflare Tunnel and hardcoded IPs for C2, profiles hosts, supports SOCKS proxying, command execution, file transfer, self-update, and in the native PE variant adds TCP tunnelling, thread execution hijacking, anti-debugging, and DLL execution.
A remote access trojan deployed by Interlock on the networks of multiple U.K. universities.
Node.js-based backdoor used early in the intrusion chain to establish access and communicate with command-and-control infrastructure over HTTP POST requests.
Backdoor observed alongside Slopoly and InterlockRAT in attacks leading to deployment of Interlock ransomware.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.