Back to Intelligence

Interlock, Rhysida, and DragonForce: OTX Pulse Analysis — Multi-Vector Infostealer & Ransomware Detection Pack

SA
Security Arsenal Team
June 16, 2026
8 min read

Recent OTX pulse data indicates a convergence of high-profile ransomware operations and sophisticated infostealer campaigns targeting a broad spectrum of industries. The intelligence highlights the continued evolution of the Interlock and Rhysida ecosystems (tracked as Hive0163, TAG-124), which have been active for over two years utilizing custom malware like NodeSnake, InterlockRAT, and the Rhysida ransomware payload.

Simultaneously, distinct campaigns involving Gremlin Stealer and DragonForce demonstrate novel evasion and communication techniques. Gremlin Stealer is now utilizing commercial packing utilities with instruction virtualization to hide payloads, while DragonForce actors are weaponizing Microsoft Teams relay infrastructure (Backdoor.Turn) to mask C2 traffic as legitimate Microsoft traffic. Additionally, a campaign targeting gamers via Steam Workshop is distributing Lumma, Vidar, and DarkComet via malicious wallpapers.

Collectively, these campaigns focus on credential theft, initial access brokerage, and ultimately, data extortion. The use of legitimate platforms like Teams and Steam for distribution or C2 highlights a "Living off the Land" (LotL) trend designed to bypass traditional network perimeter defenses.

Threat Actor / Malware Profile

Interlock / Rhysida (Hive0163, TAG-124)

  • Malware Families: NodeSnake, InterlockRAT, JunkFiction, Supper, Interlock Ransomware, Endico, Broomstick, Tomb crypter, Rhysida Ransomware.
  • Distribution: Trojansized installers, exploitation of vulnerabilities (e.g., CVE-2023-36036).
  • Payload Behavior: Initial access leads to custom downloaders (JunkFiction, Endico) which deploy loaders like Supper and crypters like Tomb.最终载荷包括用于横向移动和数据窃取的RATs (InterlockRAT) 和勒索软件。
  • C2 Communication: Custom HTTP/HTTPS protocols; NodeSnake provides sophisticated backdoor capabilities.
  • Persistence: Scheduled tasks, service installation (common for Supper/Broomstick).

Gremlin Stealer

  • Malware Families: Gremlin Stealer, Agent Tesla, GuLoader, Lokibot, Quasar RAT.
  • Distribution: Phishing emails with malicious attachments or links.
  • Payload Behavior: Siphons sensitive information (payment card details, browser data, crypto wallets).
  • Anti-Analysis: Uses sophisticated commercial packing utilities with instruction virtualization (custom bytecode executed by a private VM) to hinder static analysis.

DragonForce

  • Malware Families: Backdoor.Turn (Go-based), DragonForce Ransomware.
  • Distribution: Likely via phishing or exploits targeting vulnerable drivers (CVEs mentioned: CVE-2023-52271, CVE-2025-61155, CVE-2025-1055).
  • C2 Communication: Novel Technique: Conceals C2 traffic within Microsoft Teams TURN relay servers using anonymous visitor tokens, making traffic appear as legitimate Microsoft collaboration traffic.

Steam Workshop Campaign

  • Malware Families: Lumma, Vidar, DarkComet, Fynloski, Krademok, RenEngine.
  • Distribution: Malicious "live wallpapers" on the Steam Workshop platform (Wallpaper Engine).
  • Payload Behavior: Infostealers targeting gaming credentials and session tokens, often delivered via RAR archives hosted on Dropbox or Google Drive.

IOC Analysis

The provided IOCs span multiple categories, requiring a multi-layered defense strategy:

  • Domains: leadslaw.com (Associated with Interlock/Rhysida infrastructure).
  • File Hashes (MD5, SHA1, SHA256): Numerous hashes associated with payloads for Gremlin Stealer, DragonForce, and the Steam campaign. SOC teams should prioritize checking these against EDR telemetry and cloud storage logs.
  • CVEs:
    • CVE-2023-36036: Microsoft Exchange Server vulnerability (Elevation of Privilege).
    • CVE-2025-61155, CVE-2025-1055, CVE-2023-52271: Vulnerabilities related to drivers or BYOVD (Bring Your Own Vulnerable Driver) tactics used by DragonForce.
    • CVE-2026-20128, CVE-2026-20133: Cisco Catalyst SD-WAN vulnerabilities (Authentication Bypass).
  • IPs: 185.196.9.234 (C2 or distribution node).
  • URLs: Dropbox and Google Drive links used in the Steam campaign (https://www.dropbox.com/s/..., https://docs.google.com/uc?...). These should be blocked at the proxy.

Operationalization:

  • EDR/SIEM: Load file hashes into "Block" or "Alert" lists. Monitor for process executions matching these hashes.
  • Network: Block listed domains and IPs at the firewall/proxy. Implement SSL inspection to detect payloads hidden within encrypted traffic mimicking legitimate sites.
  • Vulnerability Management: Prioritize patching for the listed CVEs, especially the Cisco SD-WAN and Exchange vulnerabilities.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Gremlin Stealer or Packed Payload Execution
id: 9a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects execution of processes with characteristics common to heavily packed malware or known stealers like Gremlin, based on process creation and metadata anomalies.
status: experimental
date: 2026/06/16
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/67565a8c4f5c969852b7e38e
tags:
    - attack.execution
    - attack.defense_evasion
    - attack.t1562.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\.exe'
        CommandLine|contains:
            - '-enc' # Common in obfuscated powershell often used by loaders
            - 'vbc.exe' # Often used for compiling code on the fly
            - 'regsvr32.exe' # Lolbin used by some loaders
    filter_legit:
        ParentImage|contains:
            - '\Program Files\'
            - '\Windows\System32\'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative scripts
level: high
---
title: Suspicious Microsoft Teams Relay Network Traffic (DragonForce)
id: b1c2d3e4-f5a6-b7c8-d9e0-f1a2b3c4d5e6
description: Detects potential use of Microsoft Teams TURN servers by unauthorized processes, a technique used by DragonForce/Backdoor.Turn to mask C2 traffic.
status: experimental
date: 2026/06/16
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/67565a8c4f5c969852b7e38e
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - '.relay.skype.com'
            - '.teams.microsoft.com'
        Initiated: 'true'
    filter_legit_clients:
        Image|contains:
            - '\Microsoft\Teams\'
            - '\Microsoft\MsTeams\'
            - '\WindowsApps\MSTeams_'
    condition: selection and not filter_legit_clients
falsepositives:
    - Third-party applications legitimately integrating with Teams
level: critical
---
title: Cisco SD-WAN Vulnerability Exploitation Attempt
id: c3d4e5f6-a7b8-c9d0-e1f2-a3b4c5d6e7f8
description: Detects exploitation attempts against Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20128, CVE-2026-20133) often associated with webshell deployment.
status: experimental
date: 2026/06/16
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/67565a8c4f5c969852b7e38e
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: webserver
    product: apache
detection:
    selection_uri:
        cs-uri-query|contains:
            - 'vpncluster/api'
            - 'sdwan'
    selection_keywords:
        cs-uri-query|contains:
            - '%3Cscript%3E' # Script tag injection
            - 'union+select' # SQL Injection precursor often used in analysis
            - 'cmd.exe'
            - 'powershell.exe'
    condition: selection_uri and selection_keywords
falsepositives:
    - Potential, but low volume
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for processes associated with DragonForce C2 masquerading as Teams
// and generic suspicious process execution related to the described campaigns
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("relay.skype.com", "teams.microsoft.com")
| where InitiatingProcessFolderPath !has "Microsoft\\Teams" 
   and InitiatingProcessFolderPath !has "WindowsApps\\MSTeams"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemotePort

// Hunt for file hashes from the pulses
DeviceProcessEvents
| where Timestamp > ago(30d)
| where SHA256 in (
    "333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c", // Interlock/Rhysida
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5", // Gremlin
    "8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531"  // DragonForce
    )
| project Timestamp, DeviceName, FileName, ProcessCommandLine, FolderPath, SHA256

// Hunt for Steam Wallpaper Engine suspicious activity (RAR execution from temp)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName has "rar.exe" or ProcessCommandLine has ".rar"
| where ProcessCommandLine has_any ("Steam", "Wallpaper Engine") or FolderPath contains "Steam"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt Script for OTX Pulse Data (Interlock, Gremlin, DragonForce, Steam)
.DESCRIPTION
    Checks for specific file hashes, suspicious process connections mimicking Teams, 
    and registry keys/persistence mechanisms associated with the campaigns.
#>

$IOC_Hashes = @(
    "333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c", # Interlock/Rhysida
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5", # Gremlin
    "8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531", # DragonForce
    "fc586cad94e5a10dd5be6a6ae6096bd02dfbfd094365bec87e788ed0798d6f67"  # Steam/Vidar
)

Write-Host "[*] Checking for malicious file hashes in C:\..."
$Drives = @("C:\", "D:\")
foreach ($Drive in $Drives) {
    if (Test-Path $Drive) {
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { $_.Length -gt 0 } | 
        ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($IOC_Hashes -contains $hash) {
                Write-Host "[!] MATCH FOUND: $($_.FullName) - Hash: $hash" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[*] Checking for suspicious network connections (mimicking Teams)..."
$TeamsProcs = Get-NetTCPConnection -ErrorAction SilentlyContinue | Where-Object { $_.State -eq "Established" }
$Processes = Get-Process -IncludeUserName

foreach ($Conn in $TeamsProcs) {
    try {
        $Proc = $Processes | Where-Object { $_.Id -eq $Conn.OwningProcess }
        if ($Proc) {
            $RemoteAddr = [System.Net.Dns]::GetHostEntry($Conn.RemoteAddress).HostName
            if ($RemoteAddr -like "*relay.skype.com" -or $RemoteAddr -like "*teams.microsoft.com") {
                if ($Proc.Path -notlike "*Microsoft\Teams*" -and $Proc.Path -notlike "*WindowsApps\MSTeams*") {
                    Write-Host "[!] SUSPICIOUS: Process $($Proc.ProcessName) (PID: $($Proc.Id)) connecting to Teams Relay ($RemoteAddr). Path: $($Proc.Path)" -ForegroundColor Yellow
                }
            }
        }
    } catch { Continue }
}

Write-Host "[*] Hunt complete."

Response Priorities

Immediate

  • Block IOCs: Immediately block all listed domains (leadslaw.com), URLs (Dropbox/Google Drive links), and IPs (185.196.9.234) at the perimeter firewall and secure web gateways.
  • Hunt for Malware: Execute the provided PowerShell script or KQL queries to scan endpoints for the presence of the listed file hashes and suspicious process activity.
  • Network Analysis: Inspect logs for any traffic to Microsoft Teams relay infrastructure originating from non-Microsoft Teams binaries (potential DragonForce activity).

24 Hours

  • Credential Audit: If infostealer activity (Gremlin, Lumma, Vidar) is suspected or confirmed, initiate a forced password reset for all accounts, especially privileged ones, and review recent authentication logs for anomalous access.
  • Vulnerability Scanning: Scan the environment for the Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20128, CVE-2026-20133) and Microsoft Exchange vulnerabilities (CVE-2023-36036) and patch immediately.
  • Steam Policy: Alert users to the malicious Wallpaper Engine campaign and consider blocking access to Steam Workshop or restricting .rar execution if non-business critical.

1 Week

  • Architecture Hardening: Implement strict allow-listing for applications allowed to communicate with Microsoft 365 services to prevent "Teams masquerading" attacks.
  • EDR Tuning: Update EDR detection rules to flag processes attempting to reach Teams infrastructure without being signed by Microsoft.
  • User Awareness: Conduct security awareness training highlighting the risks of downloading "free" software, wallpapers, and trojanized installers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsrhysida-ransomwaregremlin-stealerdragonforceinfostealerc2-traffic

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action