Two of the more active ransomware groups operating today, Interlock and Rhysida, have more in common than previously thought. New research shows both groups share a backdoor called Supper, and that several of their malware tools appear to have grown from the same original code.
The Interlock group, tracked internally as Hive0163, has been running ransomware campaigns since September 2024. Unlike many other ransomware operations, Interlock does not offer its tools to outside affiliates.
Instead, the group relies on a custom-built arsenal that includes NodeSnake, InterlockRAT, and the JunkFiction downloader. Rhysida, on the other hand, has been active since at least May 2023 and runs as a Ransomware-as-a-Service platform.
Analysts at IBM X-Force, said in a report shared with Cyber Security News (CSN), that their two-year investigation uncovered strong connections between both groups.
According to X-Force, the clearest overlap is the shared use of the Supper backdoor, also known as SocksShell or WINDYTWIST, which has appeared in confirmed incidents tied to both ransomware operations.
By the end of 2025, both groups had each claimed roughly 80 victims, with most located in the United States. Healthcare, education, and government were among the hardest hit sectors.
Two separate ransomware operations sharing a private backdoor points to either a common development team or a controlled arrangement where code is sold between trusted actors.
Cisco Talos had earlier assessed, with low confidence, that Interlock may have emerged from Rhysida’s operators or developers. IBM X-Force findings add more weight to that theory, with code analysis revealing structural similarities across multiple malware families belonging to both groups.
Interlock and Rhysida Ransomware Operations
The Supper backdoor sits at the center of this research. First seen in July 2024, Supper predates both NodeSnake and InterlockRAT and was originally found protected by the JunkFiction crypter, the same one Interlock uses on its own tools.
Supper maintains persistent access to a victim system, creates encrypted tunnels, and runs remote shell commands, all capabilities that closely mirror InterlockRAT.
What makes this especially significant is how these tools behave internally. IBM X-Force found that InterlockRAT and Supper share nearly identical command structures, similar formats for registering with control servers, and the same self-deletion method.
An embedded DLL used by older Supper versions to erase itself from disk is the exact same component found inside the Interlock ransomware binary, triggered when told to delete itself after encrypting files.
NodeSnake, which acts as the first stage loader in most Interlock infections, shares code logic and server addresses with both JunkFiction downloader and InterlockRAT.
A newer Python-based backdoor called ModeloRAT, deployed by the TAG-124 traffic distribution network tied to Interlock, further extends NodeSnake’s code structure and uses identical network validation bytes. These overlaps strongly suggest the tools were built by the same developers.
Attack Chains, Infection Tactics, and Toolset
Both groups rely heavily on trojanized software installers to gain entry into victim networks. Fake download pages for tools like Microsoft Teams are designed to look legitimate, tricking users into running malicious files.
These installers are signed with fraudulent code-signing certificates bought from cybercrime forums, helping them pass security checks on most systems.
Once inside, attackers use traffic distribution systems to redirect victims and deliver payloads through ClickFix-style attacks or fake browser updates.
Interlock has been repeatedly tied to a system known as TAG-124, also tracked as LandUpdate808. Rhysida actors, operating under the Vanilla Tempest cluster, have used Gootloader-based access that hands off to Supper before ransomware is deployed.
Post-compromise activity is thorough and methodical. Attackers move through networks using tools like AZcopy, Advanced Port Scanner, and credential stealers before dropping ransomware.
IBM X-Force also found a custom Windows Defender Application Control policy on Interlock staging servers, built to disable Defender and endpoint tools while letting the group’s own malware run freely.
Organizations should monitor for abnormally signed executables, watch for unexpected use of remote management software, and treat ClickFix-style browser prompts as a high-priority warning sign.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 65.109.226[.]176 | Shared C2 server used in NodeSnake and JunkFiction downloader campaigns |
| IP Address | 172.86.68[.]175 | Interlock staging server (nelavohomet[.]com) |
| IP Address | 37.27.244[.]222 | Interlock staging server (ms-sql-auth[.]com) |
| IP Address | 151.241.99[.]169:8080 | Supper C2 server (Rhysida/Vanilla Tempest) |
| IP Address | 46.183.25[.]6:1080 | Supper C2 server (Rhysida/Vanilla Tempest) |
| IP Address | 213.139.77[.]167:4043 | Supper C2 server (Rhysida/Vanilla Tempest) |
| IP Address | 193.104.58[.]42:8080 | Second Supper C2 (Rhysida follow-on deployment) |
| IP Address | 5.226.141[.]216:1080 | Second Supper C2 (Rhysida follow-on deployment) |
| IP Address | 178.32.224[.]221:4043 | Second Supper C2 (Rhysida follow-on deployment) |
| Domain | nelavohomet[.]com | Interlock staging server domain |
| Domain | ms-sql-auth[.]com | Interlock staging server domain (Amazon threat intel) |
| Domain | coretether[.]com | Supper C2 domain (Rhysida) |
| Domain | nucleusgate[.]com | Supper C2 domain (Rhysida) |
| Domain | registrywave[.]com | Supper C2 domain (Rhysida) |
| Domain | scs-techresources[.]com | Broomstick payload delivery domain (Rhysida) |
| Domain | apple-online[.]shop | JunkFiction downloader C2/payload delivery |
| Domain | leadslaw[.]com | Fake Microsoft Teams installer delivery |
| Domain | microsoft-teams[.]icu | Fake Microsoft Teams installer site |
| Domain | partyglacierhip[.]to | Interlock staging server |
| URL | https://hire-household-squad-postcard.trycloudflare[.]com/MSTeamsSetup.exe | Rhysida fake Teams installer |
| URL | https://microsoft-teams[.]icu/files/MSteamsV7.80.exe | Rhysida fake Teams installer |
| File Hash (SHA-1/SHA-256) | c24cb7692b77123387b821f3683966807662217a4c918c32bb97358729c33a1d | JunkFiction downloader payload (PyInstaller) |
| File Hash (SHA-256) | f962e15c6efebb3c29fe399bb168066042b616affddd83f72570c979184ec55c | PyInstaller bundle containing JunkFiction downloader |
| File Hash (SHA-256) | 7890b116d13a52efe696ce1e2c0ed83029775cf4bea836ce551e71d222ee116f | PyInstaller bundle containing NodeSnake |
| File Hash (SHA-256) | 0e13ca9e55fbe5ae323f7f295dde8d68aaca3e2c737999174691bee77525de99 | JunkFiction downloader |
| File Hash (SHA-256) | c15f44d6abb3a2a882ffdc9b90f7bb5d1a233c0aa183eb765aa8bfba5832c8c6 | ModeloRAT sample |
| File Hash (SHA-256) | bc2b7627c5e02e5d8c6311955f1a5c09c62b511aba87b90e493c59c7d360c263 | NodeSnake (deobfuscated validation logic) |
| File Hash (SHA-256) | 7ed805c5fc3bd0a4eab3d523483a9cc83b8768ff667875f2318f3bfa4ef68fe2 | Supper JAR variant |
| File Hash (SHA-256) | c9920e995fbc98cd3883ef4c4520300d5e82bab5d2a5c781e9e9fe694a43e82f | Supper self-deletion DLL |
| File Hash (SHA-256) | 2528df60e55f210a6396dd7740d76afe30d5e9e86 | Dave-crypted Supper |
| File Hash (SHA-256) | b1444193923ca6f71c70c6a45011378ef00459c8a | JunkFiction-crypted Supper |
| File Hash (SHA-256) | a4d0ea40eb9cdcd2da83afbe4d36a634ac85c2cb6 | Tomb-crypted Supper |
| File Hash (SHA-256) | c8347069980e0c7b8d42cbf0f2be7bc6e558f8b6cf | Supper JS variant |
| File Hash (SHA-256) | 55a02d14de13134e77eb9cc787ac622791b38b74931d1588bb5750b06951c8c0 | Tomb-crypted Vidar infostealer |
| File Hash (SHA-256) | 604f7aa77a14f07baa21e76b73ceb7970037bfbdcc2040bf2e445702e99587a0 | Second Tomb-crypted Supper (Rhysida) |
| File Hash (SHA-256) | 0edfad6a8b34b2b419fd254a99394b8f2303d144dbeba7148ef5343e2929fe76 | Supper new C2 server config (Rhysida) |
| File Hash (SHA-256) | f34cfdc950124d26b4f2f99b192a4ab7a4163af3143c3b18bc2271ca08d6c899 | Supper new C2 server config (Rhysida) |
| File Hash (SHA-256) | 64a0ab00d90682b1807c5d7da1a4ae67cde4c5757fc7d995d8f126f0ec8ae983 | JunkFiction-crypted Supper (Rhysida infection chain) |
| File Hash (SHA-256) | b659389cde06f5e01e592dca458fe1be07a302c40dc2a820c7f76d4ee788bad3 | JunkFiction downloader (Rhysida infection chain) |
| File Hash (SHA-256) | 16474e9e4773fbc1e0b48a5025fad31b7f084b1beffb9a42687b4d01979885fe | Dave-crypted IceNova |
| File Hash (SHA-256) | 4e4a3751581252e210f6f45881d778d1f482146f92dc790504bfbcd2bdfa0129 | Donut-packed Broomstick |
| File Hash (SHA-256) | 6190923b28679eb8230010aff9b1d1a4184e8697540cc021a5be38126f3f6d99 | Tomb-crypted Supper (IceNova overlap) |
| File Hash (SHA-256) | 72bed9b26a7747252156b65d24a9a737d70b9bf6aca069c514c1c7b9e04ef9b6 | Dave-crypted Supper (Interlock staging server) |
| File Hash (SHA-256) | 5b7ee3d9f851363d4291689f9ac1a02e18ea024c7ab28009b032a60701639a5d | Custom credential phishing tool (CredPhish) |
| File Hash (SHA-256) | c96f1812e0a2d520e6e46e0ec6cd9ba8b5735c57847bea8634b017b7ed8dd8ce | ZIP containing custom WDAC policy |
| File Hash (SHA-256) | b0e292346b4ab3f83fadd8abcce7cfc5b9d50ef73ad141e8bc4a4689fee13504 | JunkFiction-crypted Interlock ransomware binary |
| File Hash (SHA-256) | 7389c2d346ef85e469a5ce47ef4cbf55bf3c58075996b8f5596e15fa257d90ad | JunkFiction-crypted Interlock ransomware binary |
| File Hash (SHA-256) | aa6e5529831b62cb27211b4918dd6da15ac7e69dbcc8621671dccf6df151c5a2 | JunkFiction-crypted Interlock ransomware binary |
| File Hash (SHA-256) | 913487d5c4514300e1f774af965d046479f0a6612061bcb82b536c7427a49102 | Sliver backdoor (Interlock staging server) |
| File Hash (SHA-256) | b7b451db845d2fd97996e765156ab9b0a337f58957803896bef72834d8a4d158 | SystemBC (Interlock staging server) |
| File Hash (SHA-256) | 8cc335a675f86c691ae04f31b4098fc5761d4e41abfdcbdf3c1016c9e9440490 | SystemBC (Interlock staging server) |
| File Hash (SHA-256) | 47363515fbf02bb669f72adfdc1e52c6cdcb4fc4183832a96b5761b6d95f016c | SystemBC (Interlock staging server) |
| File Hash (SHA-256) | dbc316c240067d5495415fca6b8fec28b0d9e4128 | NTLMThief (JunkFiction-crypted, Interlock staging) |
| File Hash (SHA-256) | b204d00dd01da0408978e4101479efbdc977e84a | PrintNightmare exploit (Interlock staging) |
| File Hash (SHA-256) | 9422d19bca175bf0727336b6ed5bef01c81e5a80d | Chrome App Bound Encryption Decryption (JunkFiction-crypted) |
| File Hash (SHA-256) | dc3c1616b70ab3a8b9c25e46fa00f04e18364909c | Local privilege escalation exploit CVE-2023-36036 (JunkFiction-crypted) |
| File Hash (SHA-256) | 8e2a3f32479404e195db7dbfd6ae3117122db0fce | Local credential stealer (JunkFiction-crypted) |
| File Hash (SHA-256) | 097f139304307375cd41bb2dc3913166e9f05f0d6bf5aad1efdc081dbf07c68d | JunkFiction downloader simplified PowerShell variant |
| File Hash (SHA-256) | a9b68f8e125da256ab5fe48e3bb4a72423927d943fe7502e20915b5ad24a5bc2 | Tomb v1 sample |
| File Hash (SHA-256) | 12b86190ab3fb916b8901d82fbe996f43417ffa5736df5294a63a440758f158e | Tomb v2 main function sample |
| File Hash (SHA-256) | 41b6815d187a9bd7284fb0919b814eaf310d55452030eb932b32b27b5c473e26 | Tomb v2 DLL payload redirect sample |
| File Name | thrndfg.lnk | Persistence shortcut created by JunkFiction downloader in Startup folder |
| File Name | MicrosoftEdgeSetup.exe | Legitimate decoy binary downloaded by JunkFiction downloader |
| File Name | first.ps1 / main1.ps1 | CredPhish credential phishing PowerShell scripts |
| CVE | CVE-2026-20131 | Network edge device vulnerability exploited by Interlock for initial access |
| CVE | CVE-2023-36036 | Local privilege escalation exploit used by Interlock and ModeloRAT operators |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
