Back to Intelligence

Hive0163 Interlock, UAT-8616 SD-WAN & ShinyHunters Zero-Day: Multi-Vector OTX Analysis

SA
Security Arsenal Team
June 16, 2026
7 min read

Excerpt

OTX tracks active campaigns: Rhysida ransomware, Cisco SD-WAN exploitation, and Oracle PeopleSoft zero-day attacks. High urgency.

Threat Summary

Recent OTX Pulse data reveals a convergence of high-impact threat activities targeting critical infrastructure, enterprise software, and educational institutions.

  1. Ransomware Ecosystem (Interlock & Rhysida): Hive0163 (Interlock) and Rhysida actors are actively evolving their TTPs, utilizing trojanized installers (SocGholish/Gootloader) to deliver complex payloads including NodeSnake, InterlockRAT, and SystemBC. The objective is persistence followed by ransomware deployment and data extortion.
  2. Infrastructure Exploitation (Cisco SD-WAN): UAT-8616 is actively exploiting CVE-2026-20182, an authentication bypass in Cisco Catalyst SD-WAN. Successful exploitation allows for the deployment of webshells (Godzilla, Behinder) and cryptocurrency miners (XMRig), indicating a shift towards resource theft and lateral movement.
  3. Zero-Day Data Extortion (Oracle PeopleSoft): UNC6240 (ShinyHunters) has been exploiting CVE-2026-35273, a critical RCE vulnerability in Oracle PeopleSoft, as a zero-day since late May 2026. The campaign targets the Education sector, deploying MeshCentral for remote control and exfiltrating sensitive data for extortion.

Collectively, these pulses highlight an aggressive landscape where initial access is gained via exploits (SD-WAN, PeopleSoft) and social engineering (trojanized installers), leading to diverse outcomes including ransomware, crypto-mining, and pure data theft.

Threat Actor / Malware Profile

Hive0163 (Interlock) & Rhysida

  • Distribution: Primarily driven by SEO poisoning and trojanized installers (SocGholish, Gootloader) masquerading as legitimate software updates.
  • Payload Behavior:
    • NodeSnake: A modular backdoor used for persistent C2.
    • InterlockRAT: Custom remote access trojan focusing on system reconnaissance.
    • SystemBC: A proxy tool used to route malicious traffic through victim infrastructure, evading detection.
  • C2 Communication: Uses custom protocols over HTTP/HTTPS, often routed through SystemBC proxies to obfuscate the destination C2 servers.
  • Persistence: Scheduled tasks and registry run keys established via initial downloader payloads (MintLoader).

UAT-8616

  • Distribution: Direct exploitation of internet-facing Cisco Catalyst SD-WAN Manager/Controller instances.
  • Payload Behavior: Deploys XenShell, Godzilla, and Behinder webshells for remote code execution. Subsequently deploys XMRig to hijack system resources for Monero mining.
  • C2 Communication: Webshell communication mimics legitimate administrative traffic; XMRig connects to public mining pools.
  • Persistence: Webshell persistence via vulnerable application components; potential scheduled tasks for miners.

UNC6240 (ShinyHunters)

  • Distribution: Exploitation of CVE-2026-35273 in Oracle PeopleSoft Environment Management component.
  • Payload Behavior: Deploys MeshCentral, a legitimate remote management tool, to maintain unauthorized access.
  • C2 Communication: Connections to azurenetfiles.net (infrastructure used for MeshCentral agent delivery).
  • Persistence: MeshCentral agent installed as a service or persistent background process.

IOC Analysis

The provided IOCs span multiple domains, infrastructure, and malware samples:

  • Domains & URLs: leadslaw.com (likely related to SocGholish/SEO poisoning) and azurenetfiles.net (MeshCentral C2/download server). SOC teams should immediately block these at the perimeter and DNS layer.
  • IPs: 185.196.9.234 and 176.120.22.24. These should be blocked on firewalls and fed into EDR network telemetry for alerting on outbound connections.
  • File Hashes: A wide array of hashes are provided for families including Interlock, Sliver, and XMRig. These are critical for EDR correlation and YARA rule creation.
  • CVEs: Critical attention is needed for CVE-2026-20182 (Cisco SD-WAN) and CVE-2026-35273 (Oracle PeopleSoft).

Operationalizing IOCs:

  • Tooling: SIEM (Splunk, Sentinel), EDR (CrowdStrike, SentinelOne), Firewall (Palo Alto, Fortinet), and Threat Intelligence Platforms (MISP, Anomali).
  • Decoding: Use file commands for hash verification, nslookup/dig for domain analysis, and reverse HTTP proxies for C2 traffic decoding.

Detection Engineering

Sigma Rules

YAML
title: Potential MeshCentral Agent Download - ShinyHunters
id: 9b7f1c8e-3d4a-4b5e-8f1a-2c3d4e5f6a7b
description: Detects potential download of MeshCentral agent from the infrastructure associated with UNC6240 activity observed in OTX Pulse.
status: experimental
date: 2026/06/16
author: Security Arsenal
references:
    - https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
tags:
    - attack.command_and_control
    - attack.t1102
logsource:
    category: proxy
detection:
    selection:
        cs-host|contains: 'azurenetfiles.net'
        cs-uri|contains: 'agent.ashx'
    condition: selection
falsepositives:
    - Legitimate administrative activity (rare)
level: high

---
title: SystemBC Proxy Execution - Interlock/Rhysida
id: a1b2c3d4-5e6f-7g8h-9i0j-1k2l3m4n5o6p
description: Detects execution of SystemBC, a proxy tool frequently used by Hive0163 and Rhysida actors to hide C2 traffic.
status: experimental
date: 2026/06/16
author: Security Arsenal
references:
    - https://www.ibm.com/think/x-force/interlock-and-rhysida-within-the-ransonware-ecosystem
tags:
    - attack.defense_evasion
    - attack.t1090.003
logsource:
    category: process_creation
detection:
    selection_img:
        Image|endswith: '\SystemBC.exe'
    selection_cli:
        CommandLine|contains:
            - '-connect'
            - '-proxy'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical

---
title: XMRig Cryptocurrency Miner - UAT-8616
id: f1e2d3c4-b5a6-7b8c-9d0e-1f2a3b4c5d6e
description: Detects execution of XMRig, often deployed by UAT-8616 post-exploitation on Cisco SD-WAN infrastructure.
status: experimental
date: 2026/06/16
author: Security Arsenal
references:
    - https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
tags:
    - attack.resource_hijacking
    - attack.t1496
logsource:
    category: process_creation
detection:
    selection:
        Image|endswith: '\xmrig.exe'
        or
        Description|contains: 'XMRig CPU miner'
    condition: selection
falsepositives:
    - Authorized mining operations (rare)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Network Connections to Known Malicious Infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("leadslaw.com", "azurenetfiles.net") 
   or RemoteIP in ("185.196.9.234", "176.120.22.24")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort

// Hunt for Process Execution related to Malware Families
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("SystemBC.exe", "xmrig.exe", "meshagent.exe", "powershell.exe")
   or ProcessCommandLine contains_any ("agent.ashx", "node", "JunkFiction")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunter for Interlock, ShinyHunters, and UAT-8616 Campaigns.
.DESCRIPTION
    Checks for known file hashes, suspicious network connections, and registry persistence.
#>

$MaliciousHashes = @(
    "f0b3e112ce4807a28e2b5d66a840ed7f", # Pulse 1 MD5
    "edbf152ed9ac79e5d9e0111d1071af48",
    "d75cb9920d1d3d280518ddccfe4789d2", # Pulse 2 MD5
    "ebcf977806f68af3147e0b78b55f6aed", # Pulse 3 MD5
    "333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c" # Pulse 1 SHA256
)

$MaliciousDomains = @("leadslaw.com", "azurenetfiles.net")
$MaliciousIPs = @("185.196.9.234", "176.120.22.24")

Write-Host "[*] Starting IOC Hunt..." -ForegroundColor Cyan

# Check for File Hashes
Write-Host "[*] Scanning for known malicious file hashes (C:\ and common paths)..." -ForegroundColor Yellow
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($Hash in $MaliciousHashes) {
    try {
        $Paths = Get-ChildItem -Path $Drives -Recurse -ErrorAction SilentlyContinue | 
            Get-FileHash -Algorithm MD5 -ErrorAction SilentlyContinue | 
            Where-Object { $_.Hash -eq $Hash }
        if ($Paths) {
            Write-Host "[!] ALERT: Malicious file found with hash $Hash at $($Paths.Path)" -ForegroundColor Red
        }
    } catch {
        # Ignore access errors
    }
}

# Check Active Network Connections
Write-Host "[*] Checking active network connections for malicious IOCs..." -ForegroundColor Yellow
$Connections = Get-NetTCPConnection -State Established | Select-Object -ExpandProperty RemoteAddress
foreach ($IP in $MaliciousIPs) {
    if ($Connections -contains $IP) {
        Write-Host "[!] ALERT: Active connection detected to malicious IP: $IP" -ForegroundColor Red
    }
}

# Check DNS Cache
Write-Host "[*] Checking DNS cache for malicious domains..." -ForegroundColor Yellow
$DnsCache = Get-DnsClientCache | Select-Object -ExpandProperty Entry
foreach ($Domain in $MaliciousDomains) {
    if ($DnsCache -like "*$Domain*") {
        Write-Host "[!] ALERT: DNS cache entry found for domain: $Domain" -ForegroundColor Red
    }
}

Write-Host "[*] Hunt Complete." -ForegroundColor Green

Response Priorities

  • Immediate:

    • Block all listed domains (leadslaw.com, azurenetfiles.net) and IPs at the perimeter and proxy.
    • Patch Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182, CVE-2026-20133) immediately.
    • Apply Oracle patch for CVE-2026-35273 to PeopleSoft environments; if unavailable, implement WAF rules to block exploitation attempts on the Environment Management component.
    • Hunt for SystemBC.exe and xmrig.exe processes across endpoints.

  • 24h:

    • Conduct credential resets for accounts with access to Oracle PeopleSoft and SD-WAN management consoles, as webshells may have facilitated credential theft.
    • Isolate hosts identified as communicating with C2 infrastructure for forensic imaging.
    • Review logs for successful exploitation attempts on Oracle PeopleSoft around late May/early June 2026.

  • 1 Week:

    • Implement network segmentation to restrict lateral movement from DMZ-facing SD-WAN and PeopleSoft servers.
    • Review and harden external attack surface, specifically for SEO-poisoned search results related to legitimate software downloads.
    • Deploy specific YARA rules for the identified malware hashes and families (NodeSnake, InterlockRAT).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptrhysidainterlock-ratcisco-sd-wanoracle-peoplesoftxmrig

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action