Back to Intelligence

Interlock, DragonForce & UAT-8616: OTX Pulse Analysis — Ransomware & C2 Evasion Tactics

SA
Security Arsenal Team
June 16, 2026
6 min read

Recent OTX Pulse data reveals a convergence of sophisticated ransomware operations and novel evasion techniques targeting enterprise infrastructure. Three distinct clusters of activity have been identified:

  1. Hive0163 & Rhysida Ecosystem: A deeply entrenched ransomware-as-a-service (RaaS) ecosystem utilizing a complex supply chain of downloaders (JunkFiction, Endico) and custom RATs (NodeSnake, InterlockRAT). These actors leverage SEO poisoning (SocGholish) and trojanized installers to gain initial access across a wide range of US industries.

  2. DragonForce Infrastructure Abuse: A technically advanced campaign exploiting Microsoft Teams infrastructure. Threat actors are using Backdoor.Turn to conceal C2 traffic within legitimate TURN relay servers, effectively bypassing network egress filtering by masquerading as trusted Microsoft traffic.

  3. UAT-8616 SD-WAN Exploitation: Active exploitation of perimeter networking devices. The actor UAT-8616 is leveraging authentication bypass vulnerabilities (CVE-2026-20182) in Cisco Catalyst SD-WAN controllers to deploy webshells (XenShell, Godzilla) and cryptocurrency miners (XMRig), establishing persistence at the network edge.

Threat Actor / Malware Profile

Hive0163 (Interlock) & Rhysida

  • Malware Families: NodeSnake (Golang backdoor), InterlockRAT, JunkFiction, Supper, SystemBC, Sliver, Vidar.
  • Distribution: Primarily driven by SEO poisoning (Gootloader, SocGholish) and trojanized legitimate software installers.
  • Behavior: NodeSnake establishes a persistent backdoor, while downloaders like JunkFiction fetch secondary payloads including SystemBC (for proxying/traffic redirection) and ransomware binaries.
  • Persistence: Uses Scheduled Tasks and Run keys. SystemBC often registers as a Windows service.

DragonForce

  • Malware Families: Backdoor.Turn (Go-based), DragonForce Ransomware.
  • Distribution: Likely initial access via compromised credentials or phishing, followed by DLL side-loading.
  • Behavior: Uniquely abuses Microsoft Teams visitor tokens and TURN (Traversal Using Relays around NAT) servers to route command & control traffic. This makes malicious traffic indistinguishable from legitimate corporate collaboration traffic in firewall logs.
  • Evasion: Employs Bring Your Own Vulnerable Driver (BYOVD) techniques exploiting CVE-2023-52271 and CVE-2025-61155 to disable EDR solutions.

UAT-8616

  • Malware Families: XenShell, Godzilla, Behinder, Sliver, AdaptixC2, XMRig.
  • Distribution: Exploitation of CVE-2026-20182 (Auth Bypass) and CVE-2026-20133 in Cisco Catalyst SD-WAN Manager.
  • Behavior: Gains administrative access on the SD-WAN controller to deploy webshells, facilitating lateral movement into the managed network.
  • Objective: Initial access for espionage or deploying cryptominers (XMRig) leveraging compromised high-bandwidth infrastructure.

IOC Analysis

The provided pulses offer a mix of infrastructure and file-based indicators:

  • File Hashes (MD5/SHA1/SHA256): A significant volume of hashes are provided for payloads like NodeSnake, DragonForce, and webshell components. SOC teams should immediately block these on endpoints (EDR) and check quarantine history.
  • CVE Identifiers: The presence of CVE-2026-20182 (Cisco), CVE-2023-36036 (Microsoft), and CVE-2025-61155 (Driver) indicates a heavy reliance on unpatched vulnerabilities. Vulnerability management is the primary mitigation here.
  • Network Infrastructure: Indicator 185.196.9.234 and domain leadslaw.com are associated with C2 infrastructure. These should be blocked at the perimeter and proxy level.

Detection Engineering

YAML
---
title: Potential Microsoft Teams C2 Activity (DragonForce Backdoor.Turn)
id: d9a8c1e2-b5f3-4a6b-9c8d-1e2f3a4b5c6d
description: Detects suspicious child processes spawned by Microsoft Teams, indicative of DLL side-loading or payload execution used by DragonForce actors.
author: Security Arsenal
date: 2026/06/17
references:
    - https://otx.alienvault.com/pulse/6623...
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\Teams.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\regsvr32.exe'
    condition: selection
falsepositives:
    - Legitimate administrative use via Teams (rare)
level: high
---
title: Cisco SD-WAN Manager Exploitation Attempt (UAT-8616)
id: b7e6d5c4-a3b2-4f1e-8d7c-2a3b4c5d6e7f
description: Detects potential webshell access or exploitation attempts on Cisco Catalyst SD-WAN Manager based on URI patterns associated with XenShell/Godzilla.
author: Security Arsenal
date: 2026/06/17
references:
    - https://otx.alienvault.com/pulse/6624...
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: webserver
    product: apache
detection:
    selection_uri:
        cs-uri-query|contains:
            - 'jetty'
            - 'manager'
            - '.jsp'
    selection_keywords:
        cs-uri-query|contains:
            - 'exec'
            - 'cmd'
            - 'pwd'
    condition: all of selection*
falsepositives:
    - Administrative API usage
level: critical
---
title: Interlock / Rhysida Payload Execution - SystemBC and Sliver
id: a1b2c3d4-e5f6-4789-a012-34567890abcdef
description: Detects execution of SystemBC proxy or Sliver C2 beacons often associated with Hive0163 and Rhysida campaigns.
author: Security Arsenal
date: 2026/06/17
references:
    - https://otx.alienvault.com/pulse/6622...
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: process_creation
    product: windows
detection:
    selection_systembc:
        Image|endswith: '\systembc.exe'
    selection_sliver:
        Image|endswith: '\sliver.exe'
    selection_certutil:
        Image|endswith: '\certutil.exe'
        CommandLine|contains: 'decode'
    condition: 1 of selection*
falsepositives:
    - Rare SystemBC legitimate use
level: high


kql
// Hunt for DragonForce Team C2 indicators and network connections
// Look for Teams.exe making network connections outside typical Microsoft ranges or child processes
let MicrosoftIPs = pack_array("13.107.42.0/24", "13.107.64.0/18", "52.112.0.0/14");
DeviceNetworkEvents
| where InitiatingProcessFileName == "Teams.exe" 
| where not(ipv4_is_in_range(RemoteIP, "13.107.42.0/24")) 
| where not(ipv4_is_in_range(RemoteIP, "52.112.0.0/14"))
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort
| extend IOCScore = "High"
| union (
    DeviceProcessEvents
    | where FileName in~ ("systembc.exe", "sliver.exe", "node.exe", "go.exe") 
    | where ProcessCommandLine contains "-c" or ProcessCommandLine contains "-connect"
)
| union (
    DeviceFileEvents
    | where SHA256 in~ ("333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c", "8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531")
)


powershell
# IOC Hunt Script for Interlock/Rhysida and UAT-8616 Webshells
# Requires Administrative Privileges

Write-Host "[+] Starting Hunt for Interlock, Rhysida, and SD-WAN Indicators..." -ForegroundColor Cyan

# Check for specific Malware Processes
$MalwareProcs = @("systembc", "sliver", "godzilla", "xenshell", "xmrig", "interlock")
Write-Host "[*] Checking for running malicious processes..." -ForegroundColor Yellow
Get-Process | Where-Object { $MalwareProcs -contains $_.ProcessName.ToLower() } | ForEach-Object {
    Write-Host "[!] Suspicious Process Found: $($_.ProcessName) (PID: $($_.Id))" -ForegroundColor Red
    Write-Host "    Path: $($_.Path)"
}

# Check for Suspicious Scheduled Tasks (Common Persistence for SystemBC/Rhysida)
Write-Host "[*] Checking Scheduled Tasks for suspicious actions..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object { $_.State -eq 'Ready' } | ForEach-Object {
    $TaskInfo = Export-ScheduledTask $_.TaskName
    if ($TaskInfo.Actions.Execute -match "powershell|cmd|wscript" -and $TaskInfo.Actions.Arguments -match "-enc|-e|download") {
        Write-Host "[!] Suspicious Scheduled Task: $($_.TaskName)" -ForegroundColor Red
    }
}

# Check Network Connections to Known C2 IP from Pulse (185.196.9.234)
Write-Host "[*] Checking for connections to known C2 infrastructure..." -ForegroundColor Yellow
$C2IP = "185.196.9.234"
Get-NetTCPConnection -RemoteAddress $C2IP -ErrorAction SilentlyContinue | ForEach-Object {
    $Proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    Write-Host "[!] Connection to C2 ($C2IP) found via PID: $($_.OwningProcess) ($($Proc.ProcessName))" -ForegroundColor Red
}

Write-Host "[+] Hunt Complete." -ForegroundColor Green

Response Priorities

  • Immediate:

    • Block the IP 185.196.9.234 and domain leadslaw.com on all firewalls and proxies.
    • Isolate any endpoints matching the provided file hashes (NodeSnake, DragonForce, Webshells).
    • Audit logs for successful exploitation of CVE-2026-20182 on Cisco SD-WAN devices.

  • 24 Hours:

    • Conduct a credential audit for accounts with access to Microsoft Teams and Cisco SD-WAN managers.
    • Hunt for instances of Teams.exe spawning child processes or making non-standard network connections.
    • Review EDR alerts for "SystemBC" or "Sliver" activity.

  • 1 Week:

    • Patch all Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182, CVE-2026-20133).
    • Implement driver allow-listing to prevent BYOVD attacks associated with DragonForce.
    • Update web filtering rules to block categories associated with SEO poisoning (Fake Updates, Torrents).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptinterlock-ransomwaredragonforceuav-8616sd-wan-exploitliving-off-the-land

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action