Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

InterlockRAT

InterlockRAT is a backdoor associated with the Interlock ransomware operation, which IBM X-Force tracks under the financially motivated cluster Hive0163. It is deployed in multi-stage intrusions that commonly begin with ClickFix social-engineering lures and malicious PowerShell execution, with NodeSnake frequently serving as the first-stage loader before InterlockRAT is delivered. In observed attacks, InterlockRAT was used alongside other malware components including NodeSnake and the PowerShell backdoor Slopoly, culminating in deployment of the Interlock ransomware payload.

Its documented capabilities include remote command execution, reverse shell access, SOCKS5 tunneling, and web socket communication. IBM X-Force reported that InterlockRAT and the Supper backdoor share nearly identical command structures, similar command-and-control registration formats, and the same self-deletion method, indicating strong tooling overlap. Additional reporting noted code logic and infrastructure overlap between NodeSnake, JunkFiction, and InterlockRAT, and IBM assessed these overlaps strongly suggest common developers or a trusted code-sharing arrangement. InterlockRAT is part of a broader malware ecosystem linked to Interlock and, by IBM’s assessment, connected to tooling also used around Rhysida operations.

The malware has been observed in ransomware intrusions affecting primarily U.S.-based victims, with healthcare, education, and government among the most affected sectors in 2025 according to IBM X-Force’s broader reporting on Interlock activity. High-confidence indicators directly mentioned in the content include its association with Hive0163/Interlock operations and its role as a later-stage backdoor delivered after NodeSnake in ClickFix-driven compromises.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Hive0163

The more capable InterlockRAT followed, adding web socket communication, a SOCKS5 tunnel, and a reverse shell.

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Command and Control

6 techniques
T1071Application Layer ProtocolEvidence3

Once inside a system, threat actors deploy Slopoly as a PowerShell script, functioning as a client for a command-and-control (C2) framework.

T1090ProxyEvidence1

The more capable InterlockRAT followed, adding web socket communication, a SOCKS5 tunnel, and a reverse shell.

T1090.002External ProxyEvidence1

NodeSnake downloaded additional payloads, including the more advanced InterlockRAT, which enables reverse shells, SOCKS5 tunneling, and remote command execution.

T1090.003Multi-hop ProxyEvidence1

NodeSnake downloaded additional payloads, including the more advanced InterlockRAT, which enables reverse shells, SOCKS5 tunneling, and remote command execution.

T1105Ingress Tool TransferEvidence4

NodeSnake, which acts as the first stage loader in most Interlock infections, shares code logic and server addresses with both JunkFiction downloader and InterlockRAT.

T1219Remote Access ToolsEvidence2

The more capable InterlockRAT followed, adding web socket communication, a SOCKS5 tunnel, and a reverse shell.

INDICATORS OF COMPROMISE

IOCs tracked for this family

6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
6 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app11 days ago
domain●●●●●●●●●●●●View more in app11 days ago
domain●●●●●●●●●●●●View more in app11 days ago
domain●●●●●●●●●●●●View more in app11 days ago
ip.v4●●●●●●●●●●●●View more in app11 days ago
ip.v4●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
cyber security newsNews
Jun 16, 2026
Interlock and Rhysida Ransomware Operations Share Supper Backdoor and Malware Codebase

A remote access trojan/backdoor in Interlock’s custom toolkit. It closely mirrors Supper in internal behavior, including command structure, C2 registration, and self-deletion logic.

Read more
cyber security newsNews
Mar 16, 2026
IBM Uncovers ‘Slopoly,’ Likely AI-Generated Malware Used in Hive0163 Ransomware Attack - Cyber Security News

Remote access trojan used in the attack chain to provide more advanced post-compromise capabilities, including WebSocket communications, SOCKS5 tunneling, and reverse shell access.

Read more
scworldNews
Mar 13, 2026
AI-generated malware Slopoly used in Interlock ransomware attacks | brief | SC Media

Remote access trojan/backdoor used alongside Slopoly and NodeSnake in attack chains that culminate in Interlock ransomware deployment.

Read more
security affairsNews
Mar 13, 2026
AI-assisted Slopoly malware powers Hive0163’s ransomware campaigns

More advanced payload in the Hive0163 C2 framework that provides reverse shells, SOCKS5 tunneling, and remote command execution.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching6

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.