This intelligence briefing synthesizes three high-priority OTX pulses indicating a surge in diverse cyber-espionage and extortion campaigns.
-
Ransomware Ecosystem (Hive0163/Rhysida): A deep analysis of the Interlock and Rhysida ecosystems reveals a sophisticated supply chain using custom malware like
NodeSnake(Linux),InterlockRAT, andJunkFiction. The actors leverage trojanized installers and SEO poisoning (SocGholish) to deliver payloads likeMintLoaderandVidaracross critical sectors in the USA. -
Infrastructure Targeting (UAT-8616): Active exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182, CVE-2026-20133) is underway. Threat actors are deploying webshells (
Godzilla,Behinder) and C2 frameworks (Sliver,XenShell) to hijack management infrastructure. -
Education Sector Extortion (UNC6240): ShinyHunters is actively exploiting a zero-day (CVE-2026-35273) in Oracle PeopleSoft. The campaign targets higher education, deploying
MeshCentralfor lateral movement and data exfiltration viaazurenetfiles.net.
Collectively, these pulses represent a converged threat where initial access brokers facilitate ransomware and espionage operations simultaneously.
Threat Actor / Malware Profile
Hive0163 (Interlock) & Rhysida
- Malware Families:
NodeSnake,InterlockRAT,JunkFiction,Supper,Rhysida,Broomstick. - Distribution: SEO poisoning (SocGholish), trojanized software installers.
- Behavior:
NodeSnakeis a Linux/Unix backdoor focusing on persistence;InterlockRATprovides remote command execution on Windows.JunkFictionacts as a downloader. - C2: Custom C2 infrastructure often utilizing domain generation algorithms or hardcoded IPs (e.g.,
185.196.9.234).
UAT-8616
- Malware Families:
XenShell,Godzilla,Behinder,Sliver. - Objective: Persistence in edge network infrastructure (Cisco SD-WAN).
- Behavior: Exploits authentication bypasses to drop webshells (JSP/Java based) and deploys cryptominers (
XMRig) or lateral movement tools (Sliver).
UNC6240 (ShinyHunters)
- Malware Families:
MeshCentral. - Target: Education Sector (USA).
- Behavior: Exploits RCE in Oracle PeopleSoft Environment Management. Deploys
MeshCentralagents for full remote control. Usesagent.ashxfor callback.
IOC Analysis
- Domains:
leadslaw.com(Interlock C2/SEO),azurenetfiles.net(ShinyHunters C2). SOC teams must block these at the DNS layer and inspect historical HTTP logs for connections. - IPs:
185.196.9.234(Interlock),176.120.22.24(ShinyHunters). - File Hashes: A significant volume of MD5, SHA1, and SHA256 hashes are provided for loaders (MintLoader) and payloads. Operationalize these by scanning EDR telemetry and quarantine file shares.
- CVEs:
- CVE-2026-35273 (Oracle PeopleSoft RCE - Critical)
- CVE-2026-20182 / CVE-2026-20133 (Cisco SD-WAN Auth Bypass)
- CVE-2023-36036 (Microsoft Exchange related)
- Tooling: Use
VirusTotalfor hash validation,MISPfor IOC correlation, and SIEM solutions (Splunk/Sentinel) for network log enrichment.
Detection Engineering
YAML
title: Potential ShinyHunters MeshCentral C2 Activity
id: d8f8e9a0-6b1a-4a9c-9f5e-1a2b3c4d5e6f
status: experimental
description: Detects network connections to known ShinyHunters C2 infrastructure associated with Oracle PeopleSoft exploitation.
references:
- https://otx.alienvault.com/pulse/660000000000
author: Security Arsenal Research
date: 2026/06/16
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'azurenetfiles.net'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Suspicious Cisco SD-WAN Webshell Process Creation
date: 2026/06/16
author: Security Arsenal Research
status: experimental
description: Detects potential webshell activity on Cisco SD-WAN devices via suspicious Java process arguments or file creation.
references:
- https://otx.alienvault.com/pulse/660000000001
logsource:
category: process_creation
product: linux
detection:
selection_java:
Image|endswith: '/java'
CommandLine|contains:
- 'godzilla'
- 'behinder'
- 'memshell'
selection_webshell:
TargetFilename|contains:
- '.jsp'
- '.jspx'
CommandLine|contains:
- 'curl'
- 'wget'
condition: 1 of selection*
falsepositives:
- Legitimate administrative scripts
level: high
---
title: InterlockRAT NodeSnake Linux Persistence
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects persistence mechanisms used by NodeSnake or InterlockRAT on Linux endpoints.
references:
- https://otx.alienvault.com/pulse/660000000002
author: Security Arsenal Research
date: 2026/06/16
logsource:
product: linux
category: process_creation
detection:
selection_cron:
Image|endswith: '/crontab'
CommandLine|contains:
- '/tmp/'
- '/var/tmp/'
selection_node:
Image|endswith: '/node'
CommandLine|contains:
- 'base64'
- 'eval'
condition: 1 of selection*
falsepositives:
- Developer activity
level: medium
kql
// Hunt for ShinyHunters and Interlock Network IOCs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "azurenetfiles.net"
or RemoteUrl has "leadslaw.com"
or RemoteIP in ("185.196.9.234", "176.120.22.24")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend IOCPulse = iif(RemoteUrl has "azurenetfiles", "UNC6240_ShinyHunters", "Hive0163_Interlock")
powershell
# IOC Hunter for Interlock and ShinyHunters File Hashes
$TargetHashes = @(
"333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c",
"d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
"c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f",
"2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35"
)
Write-Host "Scanning for OTX Pulse IOCs (Interlock/Rhysida/ShinyHunters)..." -ForegroundColor Cyan
# Check common download directories
$PathsToScan = @("C:\Users\*\Downloads\", "C:\Windows\Temp\", "C:\ProgramData\")
foreach ($path in $PathsToScan) {
if (Test-Path $path) {
Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$file = $_
if ($file.Length -gt 0) {
try {
$hash = (Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction Stop).Hash.ToLower()
if ($TargetHashes -contains $hash) {
Write-Host "[ALERT] Malicious file found: $($file.FullName) | Hash: $hash" -ForegroundColor Red
}
} catch {
# Ignore access errors
}
}
}
}
}
# Check for MeshCentral Agent Artifacts
$MeshPath = "C:\Windows\MeshAgent"
if (Test-Path $MeshPath) {
Write-Host "[WARNING] MeshCentral Agent directory detected: $MeshPath. Verify legitimate usage (UNC6240 activity)." -ForegroundColor Yellow
}
# Response Priorities
* **Immediate:**
* Block all listed domains (`azurenetfiles.net`, `leadslaw.com`) and IPs at the firewall/proxy.
* Patch **CVE-2026-35273** (Oracle PeopleSoft) and **CVE-2026-20182** (Cisco SD-WAN) immediately.
* Isolate devices matching the file hash IOCs.
* **24 Hours:**
* Initiate credential reset for accounts active on endpoints where `MintLoader` or `Vidar` (information stealers) may have executed (Pulse 1).
* Audit Oracle PeopleSoft servers for unauthorized `MeshCentral` installations or `agent.ashx` files.
* **1 Week:**
* Review external attack surface for exposed SD-WAN management interfaces.
* Implement application control to block execution of unsigned installers and LOLBins (Living Off The Land) abused by `JunkFiction`.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptinterlock-ratrhysidauac-8616shinyhuntersmeshcentral
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.