In early 2025, the operators expanded their tactics by switching from browser update lures to security software updaters, masquerading as FortiClient, Ivanti Secure Access Client, GlobalProtect, and other security products. These fake updaters are carefully crafted PyInstaller files that, when manually launched by the victim, download and execute the actual legitimate installer (Chrome or MS Edge) while simultaneously running an embedded PowerShell backdoor script. Cybersecurity experts have identified a sophisticated ransomware threat known as Interlock, which has been quietly expanding its operations since its first appearance in September 2024. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Despite their continuing operations, Interlock has claimed fewer victims—24 since September 2024, including just 6 in 2025—compared to more prolific ransomware groups that have each claimed over one hundred victims in Q1 2025 alone. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This malware employs an elaborate multi-stage attack chain, beginning with the compromise of legitimate websites that deliver fake browser updates to unsuspecting users. The PowerShell backdoor operates as the first stage of the attack, running in an infinite loop that continuously executes HTTP requests to designated command and control servers. This script collects extensive system information including user context, system details, running processes, services, available drives, and network configuration. The C2 infrastructure demonstrates resilience through careful distribution across various hosting providers, with domains typically leveraging Cloudflare services and backup IP addresses strategically allocated across different autonomous systems. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. This adaptation demonstrates the group’s ongoing refinement of their techniques as they continue to operate beneath the radar of many security operations. Companies impacted by Interlock span various sectors across North America and Europe, indicating an opportunistic target selection approach rather than industry-specific targeting. The operators have improved their toolset and incorporated new techniques such as ClickFix to deploy their ransomware payload, alongside employing additional tools like LummaStealer and BerserkStealer to enhance their capabilities. The initial infection vector relies on social engineering, tricking users into downloading and executing what appear to be legitimate browser updates. Later iterations implement persistence mechanisms by creating registry entries that relaunch the malware at startup, and can execute arbitrary Windows commands received from the C2 server. Unlike many contemporary threats, Interlock cannot be classified as a Ransomware-as-a-Service (RaaS) operation, as no advertisements for recruiting affiliates have been discovered. The group maintains a data leak site dubbed “Worldwide Secrets Blog” where they expose victim data and provide negotiation channels. Sekoia Threat Detection & Research (TDR) team analysts have identified significant evolution in Interlock’s tactics since its emergence.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Apr 2025 18:40:13 +0000