Summary

Interlock is a ransomware intrusion set first observed in September 2024 that conducts Big Game Hunting and double extortion campaigns. Interlock cannot be classified as a “Ransomware-as-a-Service” (RaaS) group, as no advertisements for recruiting affiliates or information about affiliates have been found as of March 2025. As many other ransomware groups, Interlock has a Data Leak Site (DLS) called “Worldwide Secrets Blog” exposing victim’s data, and providing a way to negotiate the ransom price to the victims.

Although Interlock operators continue to regularly claim new victims on their DLS, they have published fewer names — 24 victims since September 2024, including 6 in 2025 — compared to the most active ransomware groups currently operating. Indeed, ransomware such as Clop, RansomHub, Akira, Babuk, Lynx, Qilin, and Fog, each claimed more than one hundred victims in the first quarter of 2025. The companies impacted by the Interlock ransomware span various sectors across North America and Europe, indicating that the target selection is primarily opportunistic.

Interlock employs a multi-stage attack chain, starting by compromising legitimate websites that deliver fake browser updates, such as Google Chrome or MS Edge installers. These fake installers execute a PowerShell backdoor facilitating the execution of multiple tools, and ultimately leading to the ransomware payload delivery.

Since the apparition of the Interlock ransomware, Sekoia Threat Detection & Research (TDR) team observed its operators evolving, improving their toolset, and leveraging new techniques such as ClickFix to deploy the ransomware payload. They also used new tools such as LummaStealer and BerserkStealer. This report describes the malware and techniques used by Interlock operators and updates the knowledge of this threat following the Talos report in November 2024.

Fake updaters for initial access

Since the emergence of the Interlock ransomware, its operators were observed using fake updaters hosted on compromised websites to deceive victims into downloading and executing the payload themselves. These installers are, in fact, PyInstaller files designed to mislead users. When the fake updater is manually launched by the victim, it downloads and executes a legitimate installer file according to the masqueraded product (a legitimate Google Chrome installer or MS Edge installer), while also running an embedded PowerShell script, which functions as a simple first-stage backdoor.

This PowerShell script operates in an infinite loop, continuously executing HTTP requests to specified hosts, with a failover logic between domain names and IP addresses in case of errors. It gathers system information, communicates with remote hosts, downloads and executes files, and, in recent versions, offers functionality for executing arbitrary commands and establishing persistence.

At the launch, the script verifies whether it has been executed with specific arguments. If only a single argument is provided, it relaunches itself with an additional argument ‘1’ to ensure the script runs in a detached mode without a visible window.

The system information is collected using various PowerShell commands. The following information are collected:

• The version of the script, which is written in a constant

• User context (SYSTEM, Admin, or User privileges) using [Security.Principal.WindowsIdentity]::GetCurrent()

• System information via systeminfo

• Processes and services via tasklist /svc

• Active services via Get-Service

• Available drives via Get-PSDrive

• ARP table via arp -a

After collecting system information, the script applies an XOR operation to the data using a hardcoded key, then compresses it with the Gzip algorithm and prefixes the final buffer with a fixed 32b integer.

The formatted system information is sent to the Command-and-Control (C2) server using an HTTP POST request on the /init1234 URL path. Then the server can respond “ooff” which is a terminate command.

The C2 server can also send a .exe or .dll file (the type is determined by the last byte of the response). The file is decoded using XOR and saved in a randomly named folder within %AppData%. It is then executed directly in the case of a .exe file or via rundll32 in the case of a .dll. Unfortunately, the TDR team was not able to retrieve the payload returned by the C2 server, but multiple files corresponding to the expected response were observed. These files are described further below.

Multiple versions of this PowerShell RAT were observed from version 1 to version 11. Later versions of the script implements a atst command to establish persistence by creating a HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key to relaunch itself at startup. This version (V11) is also able to get and execute a Windows command from the C2.

In one of the last observed PowerShell backdoor, the requested domains are the following:

• sublime-forecasts-pale-scored.trycloudflare[.]com

• washing-cartridges-watts-flags.trycloudflare[.]com

• investigators-boxing-trademark-threatened.trycloudflare[.]com

• fotos-phillips-princess-baker.trycloudflare[.]com

• casting-advisors-older-invitations.trycloudflare[.]com

• complement-parliamentary-chairs-hc.trycloudflare[.]com

C2 domains used by the PowerShell backdoor v7-v9

All observed domains are subdomains from trycloudflare.com, a legitimate Cloudflare service. TryCloudflare enables the creation of tunnels to test applications locally without permanently exposing them to the Internet. By querying trycloudflare.com domains for a response on the /init1234 path, multiple other domains used in similar cases were identified.

The PowerShell script used the following IP addresses as backup solution:

Backup IP addresses used by the PowerShell backdoor v7-v9

In all observed samples, the PowerShell backdoor has hard-coded backup IP addresses. Eight different clusters of IP addresses were used to observe the beginning of Interlock’s activity. The domains and IP addresses discovered during the investigation are listed in the Indicators section.

The composition of these clusters is noteworthy. In nearly every cluster, one of these IP addresses is from the BLNWX AS (BitLaunch), a VPS provider allowing to pay with cryptocurrencies, another one from the AS Hetzner Online GmbH, and the third one originates from a different AS each time. This distribution of IP address origin can be an effort to make the C2 infrastructure more resilient to takedown.

In January 2025, the Sekoia TDR team observed a change in Interlock fake updater. It shifted from a browser fake updater to an updater referring to security software, with file names such as:

• FortiClient.exe

• Ivanti-Secure-Access-Client.exe

• GlobalProtect.exe

• Webex.exe

• AnyConnectVPN.exe

• Cisco-Secure-Client.exe

• zyzoom_antimalware.exe

This new fake updater uses PyInstaller and drops the DLL python313.dll to execute itself. It end up executing the same PowerShell backdoor.

Adoption of the ClickFix technique for initial access

On 9 January, 2025, TDR observed a ClickFix killchain delivering a fake installer payload, which was associated with Interlock. ClickFix is a social engineering technique where threat actors manipulate users into executing malicious commands by presenting fake system prompts or CAPTCHA verifications. These prompts guide victims to manually copy and paste malicious PowerShell commands, bypassing automated security measures and leading to malware deployment or system compromise.

This specific ClickFix page was observed on four different URLs, but only the one masquerading Advanced IPScanner seems to deliver a fake installer, the others executing the PowerShell backdoor via an obfuscated loader.

• https://microsoft-msteams[.]com/additional-check.html

• https://microstteams[.]com/additional-check.html

• https://ecologilives[.]com/additional-check.html

• https://advanceipscaner[.]com/additional-check.html

The website asks the user to open a console by using the shortcut “Windows + R” and to paste the command by using CTRL + V that was silently copied into the victim clipboard. Then the victim is guided to press “Enter” to execute the command.

Case 1 — PyInstaller ⇒ PowerShell backdoor

When the “Fix it” button is clicked, the clipboard is filed with the following command:

This command downloads the payload from hxxp://topsportracing[.]com/wp-25 URL, which seems to be a compromised website, and opens a browser window to the legitimate website https://www.advanced-ip-scanner.com/ to make the user believe that the command allowed it to access the AdvanceIPScanner website and not arouse any suspicions.

The downloaded payload is a 36 MB PyInstaller file, which is a sample of the fake updater described above.

Case 2 — Obfuscated PowerShell loader ⇒ PowerShell backdoor

The command is an obfuscated PowerShell loader which downloads a legitimate Node.js executable from https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip and executes the PowerShell backdoor which is double base64 encoded. This legitimate executable will be used to execute the malicious payload.

A deobfuscated version of this loader could be the following:

In February 2025, this loader was improved with some interesting execution guardrails:

• The system manufacturer is not "QEMU".

• The total physical memory is at least 4 GB or the used physical memory is at least 1.5 GB.

• The computer name is not "DESKTOP-\S".

These execution guardrails are anti sandbox condition, as QEMU is widely used in malware analysis and sandbox environments. Checking the memory size is a common method for VM detection, as sandboxes are often created with the minimum possible amount of resources.

TDR continues to watch closely this ClickFix infrastructure. However, it seems to be unused since February 2025. It is possible that this technique was less effective than the Interlock operators had anticipated, leading them to abandon its use.

Delivered payload

Sekoia TDR team did not observe the PowerShell backdoor downloading or executing any payload, most of the ongoing C2 server responding ooff during investigation which is the PowerShell backdoor’s shutdown command. According to the first analysis conducted by CISCO Talos in November 2024, the observed delivered payloads are a credential stealer and a keylogger. This is coherent with the files related to Interlock activity observed ever since.

The custom packer used by Interlock intrusion set to protect all files related to their attacks allowed TDR to pivot and track their different tools. The executables packed in this custom packer were indeed files related to keylogging activity and information stealer.

TDR also observed the Interlock operators using different known families of credential stealers, such as LummaStealer in February 2025 and BerserkStealer in January 2025. All these malware families were packed using the Interlock custom packer.

As for the ClickFix technique, the observed usage of these two malware families is limited in time, which possibly indicates that the Interlock operators are testing and/or deploying new tools.

However, the most frequently observed file during investigation is the Interlock RAT described in the following section.

Interlock RAT

In the payloads related to Interlock activity, TDR observed a backdoor used by Interlock since at least October 2024. This malware is a RAT that is a packed DLL of ~1.3 MB, while its unpacked version is only

~180 KB.

This RAT implements the following commands:

This RAT has three hard-coded IP addresses, which correspond to the observed clusters, and the malware communicates with its C2 with a raw TCP socket on port 443. The data downloaded from the C2 servers is decrypted using a custom XOR-based function.

The backdoor sends to the C2 server the following information preceded by a magic number 55 11 69 DF (0xDF691155).

• iptarget: C2 IP address

• runas: boolean indicating if the sample is executed with admin privileges or not

• typedef: hardcoded value

• veros: OS version of the infected system

• domain: the Active Directory domain to which the host is connected, or "WORKGROUP" if not present

Lateral movement and exfiltration

According to Talos Incident Response, the Interlock operators primarily use RDP and stolen credentials to move between systems. Additionally, they observed commands used for pre-kerberoasting reconnaissance. Like many other ransomware groups, they aim to gain access to the victim’s domain controller (DC). Domain controllers are critical because they host Active Directory Domain Services (AD DS), which manage authentication, authorisation, and resource access across the network. By compromising the domain controller, attackers gain control over the entire domain, allowing them to escalate privileges, disable security mechanisms, and propagate their ransomware payload across all connected systems.

The operators also use PuTTY, AnyDesk and possibly LogMeIn to maintain remote access. PuTTY is likely used to access Linux systems, as Interlock ransomware has a version able to target them..

Furthermore, Talos reports that Interlock operators use Azure Storage Explorer and the AZCopy tool to exfiltrate sensitive data to an attacker-controlled Azure storage blob. This information could not be confirmed by Sekoia TDR’s observations.

When the Interlock operators succeed in exfiltrating the sensitive data from a company’s network, they upload it on a new TOR domain. The link to this TOR domain is provided in each post dedicated to a new victim on their DLS.

Interlock ransomware

The Interlock ransomware exists in multiple versions, with variants compiled to target both Windows and Linux Operating System. Since November 2024, multiple Windows variants have been identified, although no Linux variant has been observed since October 2024. The Linux version of the ransomware closely mirrors the Windows one, with the same expected arguments.

As for other malware used in Interlock attacks, the Windows version of the ransomware is also developed in C/C++. The executable is protected by a custom packer and unpacked using a code stored in its Thread Local Storage. The Windows variant uses AES CBC encryption provided by the LibTomCrypt library. After the unpacking phase, it enumerates logical drives from the letter A to Z (excluding the C drive), then it iterates over folders and files in these drives, encrypting files with specific extensions while excluding folders like $Recycle.Bin, PerfLogs, and system-critical files such as .dll or .exe. The names of encrypted files are modified with the extension .interlock used in the earlier version, and .!NT3R10CK in the more recent samples observed.

After encryption, the ransomware creates a ransom note file in each folder. The file name evolves over time, starting from ! README !.txt to FIRST_READ_ME.txt and QUICKGUIDE_.txt.

The Windows variant of the ransomware creates a scheduled task to be executed every day at 8:00 PM.

schtasks /create /sc DAILY /tn "TaskSystem" /tr "cmd /C cd %s && %s" /st 20:00 /ru system > nul

The Windows variants have the following commands:

• -d –directory: Target only the directory passed in the argument

• -f –file: Target only the file passed in the argument

• -del –delete: The ransomware deletes itself after encryption. It drops a small DLL file (2.5 KB) stored in its data section and executes it using rundll32.exe.

• -s –system: Create a scheduled task

• –release-files: Unknown utility

Since October 2024, the file extensions to be ignored by the ransomware have remained unchanged.

Ransom note

The ransom note has evolved slightly since the beginning of Interlock’s activity. Talos observed a similarity between the note dropped by Interlock ransomware and the one dropped by Rhysida ransomware, but could not conclude of a link between these two actors. TDR notes that the group is placing increasing emphasis on the legal risks faced by companies, citing the laws that would be violated if the data leak were to be disclosed by Interlock.

Two different versions of the ransom note, observed on 11 October 2024 and 21 February 2025 are provided in the Appendix.

Conclusion

The Interlock ransomware group, active since September 2024, is an evolving, increasingly significant threat, although not a particularly prolific one at present. Despite its relatively low victim count in Q1 2025, the group has demonstrated adaptability and innovation in its tactics. In January and February 2025, Interlock experimented with a new initial access method, dubbed ClickFix, showcasing its willingness to innovate. Its reliance on credential-stealing malware such as LummaStealer and Berserk Stealer, alongside keyloggers, underscores a persistent focus on harvesting sensitive data for lateral movement and privilege escalation.

Interlock’s technical arsenal has remained largely consistent since its inception, relying on a specific PowerShell backdoor, a Remote Access Trojan and ransomware payload. However, incremental enhancements to its toolset have been observed, including the evolution of its PowerShell backdoor to version 11 and modifications to its ransom note, which now emphasises legal repercussions for non-payment.

Interlock continued to improve their tools and methods, which reflects a willingness to maintain relevance while avoiding the large-scale visibility associated with more prolific ransomware groups such as the attention-seeker FunkSec ransomware group. TDR continues monitoring Interlock activities to anticipate further evolution and potential escalation in their campaigns.