Back to Intelligence

Interlock, Rhysida & Gremlin Stealer: Converging Ransomware and Infostealer Operations — OTX Pulse Analysis

SA
Security Arsenal Team
June 15, 2026
5 min read

Recent OTX pulses reveal a volatile threat landscape dominated by the convergence of infostealers and ransomware operations. The Hive0163 (Interlock) and Rhysida threat groups are actively deploying a complex ecosystem of malware—including NodeSnake, InterlockRAT, and Vidar—to harvest credentials and facilitate ransomware deployment. Parallel to this, the Gremlin Stealer campaign has evolved to use advanced resource-hiding obfuscation techniques to siphon sensitive data. Meanwhile, UNC6240 (ShinyHunters) is actively exploiting a critical zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft to target the education sector, and UAT-8616 is leveraging Cisco SD-WAN flaws for initial access. The collective objective is credential theft, lateral movement, and data extortion.

Threat Actor / Malware Profile

  • Hive0163 / Interlock & Rhysida:

    • Distribution: Trojanized installers, SEO poisoning (Gootloader), and SocGholish drive-by downloads.
    • Payload Behavior: Utilizes custom malware like NodeSnake (backdoor) and InterlockRAT. Employs Vidar and Berserk Stealer to harvest browser credentials and crypto wallets before deploying Interlock or Rhysida ransomware.
    • C2 Communication: Uses SystemBC for proxying and Sliver for advanced C2 operations.
    • Persistence: Scheduled tasks and registry modifications via initial downloaders (MintLoader).

  • Gremlin Stealer:

    • Distribution: Malicious attachments and bundled software.
    • Payload Behavior: An infostealer targeting payment card details, browser data, and Discord tokens. It uses instruction virtualization via a commercial packer to evade static analysis.
    • Anti-Analysis: Embeds payloads within resource files and executes them via a custom virtual machine (VM).

  • UNC6240 (ShinyHunters):

    • Distribution: Exploitation of web-facing applications (Oracle PeopleSoft).
    • Payload Behavior: Deploys MeshCentral for remote access and data exfiltration.
    • Persistence: Webshells and established persistence within the application environment.

IOC Analysis

The provided indicators span multiple categories requiring immediate operationalization:

  • Domains (leadslaw.com, azurenetfiles.net, fifaticket2026vip.com): Associated with C2 infrastructure and phishing. These should be blocked at the DNS layer and hunted in proxy logs.
  • File Hashes (SHA256, MD5, SHA1): A large volume of hashes correspond to loaders (MintLoader), stealers (Gremlin, Vidar), and ransomware binaries. These should be uploaded to EDR threat feeds and used to retrospective hunt in VDI/SAN snapshots.
  • CVEs (CVE-2026-35273, CVE-2023-36036): Critical vulnerabilities requiring patch management prioritization, specifically for Oracle PeopleSoft and Microsoft Exchange (if implied by context of known associated CVEs).
  • IPs (e.g., 185.196.9.234, 176.120.22.24): C2 IPs requiring firewall blacklisting.

Detection Engineering

The following detection rules and queries are designed to identify the specific behaviors outlined in the OTX pulses.

YAML
title: Suspicious PowerShell Obfuscation - Gremlin Stealer Loader
id: 1e2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects obfuscated PowerShell commands often used by loaders like MintLoader or Gremlin Stealer to download payloads.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/12345
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'FromBase64String'
            - 'IEX'
            - 'Invoke-Expression'
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: high
tags:
    - attack.execution
    - attack.t1059.001
---
title: Network Connection to Interlock/Rhysida C2 Infrastructure
id: 2f3c4d5e-6a7b-8c9d-0e1f-2a3b4c5d6e7f
description: Identifies connections to domains and IPs associated with Hive0163 and ShinyHunters C2.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/12345
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'leadslaw.com'
            - 'azurenetfiles.net'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.command_and_control
    - attack.t1071
---
title: Potential Webshell Activity - ShinyHunters MeshCentral
id: 3d4e5f6a-7b8c-9d0e-1f2a-3b4c5d6e7f8a
description: Detects suspicious process creation patterns associated with webshells or MeshCentral agent activity on web servers.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/12345
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|contains:
            - '\w3wp.exe'
            - '\java.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - System administration tasks
level: high
tags:
    - attack.persistence
    - attack.t1505.003


kql
// Hunt for connections to known malicious domains from OTX Pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ ("leadslaw.com", "azurenetfiles.net", "fifaticket2026vip.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP

// Hunt for specific file hashes mentioned in pulses
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
    "333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c",
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f",
    "2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35"
)
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName


powershell
<#
.SYNOPSIS
    IOC Hunt Script for OTX Pulse 2026-06-15
.DESCRIPTION
    Checks system for specific file hashes and registry artifacts associated with Interlock, Gremlin, and ShinyHunters.
#>

$TargetHashes = @(
    "333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c",
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "f0b3e112ce4807a28e2b5d66a840ed7f",
    "ebcf977806f68af3147e0b78b55f6aed"
)

function Get-FileHashByAlgorithm {
    param ([string]$Path)
    if (Test-Path $Path) {
        return (Get-FileHash -Path $Path -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    }
    return $null
}

Write-Host "[+] Scanning common download directories for malicious files..."
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:TEMP", "C:\ProgramData")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = Get-FileHashByAlgorithm -Path $_.FullName
            if ($Hash -in $TargetHashes) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) | Hash: $Hash" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking Hosts file for C2 domains..."
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$MaliciousDomains = @("leadslaw.com", "azurenetfiles.net", "fifaticket2026vip.com")

if (Test-Path $HostsPath) {
    $Content = Get-Content $HostsPath
    foreach ($Domain in $MaliciousDomains) {
        if ($Content -match $Domain) {
            Write-Host "[!] POTENTIAL HOSTS FILE HIJACKING DETECTED: $Domain found in $HostsPath" -ForegroundColor Yellow
        }
    }
}

Write-Host "[+] Scan Complete."

Response Priorities

Immediate:

  1. Block all listed domains (leadslaw.com, azurenetfiles.net, fifaticket2026vip.com) and IPs at the perimeter firewall and proxy.
  2. Initiate a hunt for the SHA256 file hashes provided in the pulses across all endpoints.
  3. Patch CVE-2026-35273 (Oracle PeopleSoft) and CVE-2023-36036 immediately if assets are vulnerable.

24 Hours:

  1. Conduct credential resets for accounts found on devices with suspected stealer infections (Gremlin/Vidar).
  2. Review network logs for any successful connections to the identified IOCs within the last 30 days.
  3. Isolate systems exhibiting MeshCentral or Sliver C2 activity.

1 Week:

  1. Harden SD-WAN infrastructure against UAT-8616 TTPs (disable unused management interfaces).
  2. Update EDR signatures to detect the specific obfuscation techniques used by Gremlin Stealer.
  3. Implement application-specific filtering for Oracle PeopleSoft environments to detect webshell upload attempts.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsgremlin-stealerrhysida-ransomwarecredential-theftoracle-peoplesoftinterlock-rat

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action