InterlockRAT
InterlockRAT is a backdoor used in Hive0163-linked intrusion chains associated with Interlock ransomware operations. In observed attacks, the intrusion began with a ClickFix social-engineering lure that led to deployment of the NodeSnake backdoor, which then downloaded additional payloads including InterlockRAT. Reporting describes InterlockRAT as a more advanced backdoor that provides remote command execution, reverse shell capability, SOCKS5 tunneling, and web socket communication. It was deployed alongside other malware components such as Slopoly and NodeSnake before the final Interlock ransomware payload. The activity is associated with the financially motivated threat actor Hive0163, which is described as focused on post-compromise access, data theft, and ransomware deployment. The available content does not provide specific file-based indicators or unique InterlockRAT infrastructure, but it does place the malware within a broader Hive0163 toolset used for persistence, lateral movement, and follow-on ransomware execution.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The more capable InterlockRAT followed, adding web socket communication, a SOCKS5 tunnel, and a reverse shell.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Command and Control
6 techniquesOnce inside a system, threat actors deploy Slopoly as a PowerShell script, functioning as a client for a command-and-control (C2) framework.
The more capable InterlockRAT followed, adding web socket communication, a SOCKS5 tunnel, and a reverse shell.
NodeSnake downloaded additional payloads, including the more advanced InterlockRAT, which enables reverse shells, SOCKS5 tunneling, and remote command execution.
NodeSnake downloaded additional payloads, including the more advanced InterlockRAT, which enables reverse shells, SOCKS5 tunneling, and remote command execution.
NodeSnake downloaded additional payloads, including the more advanced InterlockRAT
The more capable InterlockRAT followed, adding web socket communication, a SOCKS5 tunnel, and a reverse shell.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan used in the attack chain to provide more advanced post-compromise capabilities, including WebSocket communications, SOCKS5 tunneling, and reverse shell access.
Remote access trojan/backdoor used alongside Slopoly and NodeSnake in attack chains that culminate in Interlock ransomware deployment.
More advanced payload in the Hive0163 C2 framework that provides reverse shells, SOCKS5 tunneling, and remote command execution.
Remote access trojan/backdoor used in the same attack chain as Slopoly during an Interlock ransomware intrusion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.