NodeSnake
NodeSnake is a remote access trojan/backdoor family associated with the Interlock ransomware operation, which IBM X-Force tracks as Hive0163. It is described as the first-stage loader in most Interlock infections and as the persistent access layer of a broader malware framework that also includes JunkFiction and InterlockRAT. Reporting links Interlock activity involving NodeSnake to ClickFix social-engineering campaigns, including attacks against multiple U.K. universities, and to broader ransomware intrusions affecting sectors such as healthcare, education, government, and enterprise environments.
NodeSnake has been observed in multiple implementations: a JavaScript variant for Node.js, Java JAR variants bundling Tyrus and Grizzly, and native C++/PE binaries wrapped in crypter shells. Across these variants, researchers reported shared code logic, overlapping infrastructure, and common protocol elements, including RC4-encrypted WebSocket framing, an initialize prefix of 92 01 88 fe, and an 8-field host profiling format. NodeSnake uses disposable Cloudflare Tunnel endpoints as WebSocket relays and falls back to hardcoded IP infrastructure. The JavaScript, Java, and native PE variants were reported to hardcode the same C2 IPs: 172.86.68.64, 23.227.203.123, and 77.42.75.119.
Its capabilities include persistent access, shell/command execution, retrieval and launch of additional malware, and support for wider post-compromise operations. The JavaScript implant supports SOCKS5 proxying, interactive shell access, one-shot command execution, file transfer, self-update, self-delete, and operator-controlled sleep/disconnect functions. The native PE variant adds TCP tunneling, thread execution hijacking, anti-debugging checks, DLL execution via rundll32.exe, and privilege-aware behavior. Multiple reports state NodeSnake is designed to run shell commands, establish persistence, and retrieve and launch InterlockRAT; in observed intrusions it was deployed alongside InterlockRAT and later-stage tooling such as Slopoly, culminating in Interlock ransomware deployment.
NodeSnake is also notable for code and infrastructure overlap with other malware tied to Hive0163 and possibly Rhysida-linked development, including JunkFiction, InterlockRAT, Supper/SocksShell/WINDYTWIST, and ModeloRAT. IBM X-Force reported that NodeSnake shares code logic and server addresses with JunkFiction and InterlockRAT, and that these overlaps strongly suggest common developers or trusted code sharing.
High-confidence indicators directly mentioned in the content include the hardcoded C2 IP addresses 172.86.68.64, 23.227.203.123, and 77.42.75.119.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The Interlock ransomware gang has been exploiting a maximum severity remote code execution (RCE) vulnerability in Cisco's Secure Firewall Management Center (FMC) software in zero-day attacks since late January. Cisco patched the security flaw (CVE-2026-20131) on March 4, warning that it could allow unauthenticated attackers to remotely execute arbitrary Java code as root on unpatched devices.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"The Interlock ransomware group has deployed a previously undocumented JavaScript remote access trojan called NodeSnake..."
The attack in itself is said to have leveraged the ClickFix social engineering tactic to trick the victim into running a PowerShell command, which then downloads NodeSnake, a known malware attributed to Hive0163. A first-stage component, NodeSnake, is designed to run shell commands, establish persistence, and retrieve and launch a wider malware framework referred to as Interlock RAT.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
The Interlock ransomware operation surfaced in September 2024 and has been linked to ClickFix and to malware attacks in which they deployed a remote access trojan called NodeSnake on the networks of multiple U.K. universities.
Execution
4 techniques
Execution
The Java variant adds two features... The UpdateThread creates a self-deleting scheduled task... Like the Java variant, the PE uses self-deleting scheduled tasks... A daily scheduled task runs the ransomware at 20:00 as SYSTEM.
The attack in itself is said to have leveraged the ClickFix social engineering tactic to trick the victim into running a PowerShell command, which then downloads NodeSnake.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
4 techniques
Stealth
Thread execution hijacking : uses SetThreadContext / GetThreadContext to inject into running threads.
DELETE 0x0c fs.rmSync(__filename)... If the counter passes 40, the implant deletes itself... self-deleting scheduled task... --delete (self-delete after encryption)
Discovery
2 techniques
Discovery
Command and Control
6 techniques
Command and Control
The PowerShell script functions as a full-fledged backdoor that can beacon a heartbeat message containing system information to a C2 server every 30 seconds, poll for a new command every 50 seconds, execute it via "cmd.exe," and relay the results back to the server.
The implant connects over ws:// and rotates across nine Cloudflare Tunnel domains plus three fallback IP addresses... All three tiers use the same transport protocol... RC4-encrypted WebSocket framing.
Operator commands. The implant supports 12 message types: SOCKS5 0x05 SOCKS5 proxy... The native implant runs a multi-threaded design: SocksThread SOCKS4 proxy handler Socks5Thread SOCKS5 proxy handler
The C2 infrastructure runs through free Cloudflare Tunnel endpoints as disposable WebSocket relays, falling back to hardcoded IPs on hosting providers.
The native variant adds several features not present in the scripted tiers: TCP tunnel relay (TcpTunnel): forwards arbitrary TCP connections through the implant, allowing the operator to reach internal hosts.
Once inside, attackers use traffic distribution systems to redirect victims and deliver payloads through ClickFix-style attacks or fake browser updates. | NodeSnake, which acts as the first stage loader in most Interlock infections, shares code logic and server addresses with both JunkFiction downloader and InterlockRAT.
IOCs tracked for this family
20 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A first-stage loader used in most Interlock infections. It shares code logic and infrastructure with JunkFiction and InterlockRAT, and its code structure was later extended by ModeloRAT.
WebSocket-based persistent backdoor implemented in JavaScript, Java, and native C++. It uses RC4-encrypted message framing, Cloudflare Tunnel and hardcoded IPs for C2, profiles hosts, supports SOCKS proxying, command execution, file transfer, self-update, and in the native PE variant adds TCP tunnelling, thread execution hijacking, anti-debugging, and DLL execution.
A remote access trojan deployed by Interlock on the networks of multiple U.K. universities.
Node.js-based backdoor used early in the intrusion chain to establish access and communicate with command-and-control infrastructure over HTTP POST requests.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.