JunkFiction
JunkFiction is a malware loader/downloader associated with the financially motivated Hive0163 / Interlock ransomware ecosystem. In the provided reporting it is described as part of the group’s custom toolset alongside NodeSnake, InterlockRAT, and Interlock ransomware, and is used to deliver the Windows Interlock ransomware payload, typically a 64-bit PE placed in temporary folders. IBM X-Force also reported that early Supper samples were protected by the JunkFiction crypter, and that NodeSnake shares code logic and server addresses with the JunkFiction downloader and InterlockRAT, indicating close development overlap within the broader malware framework. The malware is linked to intrusion chains that rely on trojanized software installers, fake Microsoft Teams download pages, traffic distribution systems, fake browser updates, and ClickFix-style lures for initial access and payload delivery. Activity involving this tooling has primarily targeted organizations in the United States, with healthcare, education, and government among the most affected sectors by the associated Interlock and Rhysida operations. High-confidence associations in the content tie JunkFiction to Hive0163/Interlock operations and to overlapping tooling relationships with Supper, NodeSnake, InterlockRAT, ModeloRAT, and Interlock ransomware.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Local privilege escalation exploit CVE-2023-36036 (JunkFiction-crypted) ... CVE CVE-2023-36036 Local privilege escalation exploit used by Interlock and ModeloRAT operators
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The e-crime group is primarily associated with a wide range of malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Command and Control
1 technique
Command and Control
Once inside, attackers use traffic distribution systems to redirect victims and deliver payloads through ClickFix-style attacks or fake browser updates. | NodeSnake, which acts as the first stage loader in most Interlock infections, shares code logic and server addresses with both JunkFiction downloader and InterlockRAT.
IOCs tracked for this family
19 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A downloader used by Interlock and seen in Rhysida infection chains. It is also used as a crypter/protector for other payloads, including Supper and Interlock ransomware binaries.
Loader used by Hive0163 as part of its custom toolkit to help establish and maintain long-term access in compromised environments.
Loader used to deploy the Interlock ransomware payload.
Loader used by Hive0163 as part of its malicious toolset.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.