Back to Intelligence

Interlock, Rhysida & RaaS Ecosystems: Credential Harvesting, AI-Driven Typosquatting, and Novel C2 Techniques — OTX Pulse Analysis

SA
Security Arsenal Team
June 17, 2026
10 min read

Analysis of the latest AlienVault OTX pulses indicates a highly active and diverse threat landscape dominated by sophisticated credential theft, ransomware-as-a-service (RaaS), and novel command-and-control (C2) evasion techniques. The data reveals a convergence of several distinct campaigns:

  1. RaaS Ecosystem Evolution: The INC ransomware group has ascended to a top-tier threat, capitalizing on the disruption of LockBit and BlackCat. They now employ Rust-based encryptors for cross-platform impact (Windows/Linux/ESXi). Simultaneously, the "Interlock" (Hive0163) and Rhysida ecosystem continues to leverage a complex supply chain of custom malware like NodeSnake, InterlockRAT, and various downloaders (Endico, JunkFiction) to facilitate initial access and credential theft before ransomware deployment.

  2. AI-Powered Credential Theft: A novel campaign targeting Brazilian finance employs AI-generated typosquatting domains and "ClickFix" social engineering. Victims are tricked into executing malicious PowerShell via fake CAPTCHAs, delivering the SmartRAT banking trojan, which specializes in credential interception and QR code manipulation.

  3. Living-Off-The-Land (LoL) and Application Abuse: The DragonForce group has weaponized Microsoft Teams' infrastructure, using a custom Go-based backdoor (Backdoor.Turn) to tunnel C2 traffic through legitimate TURN relay servers. This effectively bypasses traditional network detection. In a separate campaign, threat actors are abusing the Steam Workshop platform, distributing malware-laden wallpapers for Wallpaper Engine that deliver infostealers like Lumma and Vidar to gamers.

The collective objective of these actors is financial gain through either direct data extortion (ransomware) or the theft and sale of credentials and banking information.

Threat Actor / Malware Profile

Adversary: Hive0163 (Interlock), Rhysida, INC, DragonForce, Unknown (SmartRAT/Steam campaigns).

Malware Families: NodeSnake, InterlockRAT, JunkFiction, SmartRAT, Backdoor.Turn (DragonForce), Lumma, Vidar, Brave Prince.

Distribution Method

  • RaaS (INC, Rhysida/Interlock): Initial access is often gained through trojanized installers (tagged as CVE-2026-20131, CVE-2023-36036), exploit kits like SocGholish, or other downloaders (MintLoader). These campaigns leverage a vast network of C2 domains and compromised IPs.
  • SmartRAT: AI-generated typosquatting domains impersonating a Brazilian bank. Distribution is via "ClickFix" - fake CAPTCHA and Blue Screen of Death (BSOD) prompts that deceive users into running malicious PowerShell commands.
  • DragonForce: The attack begins with the deployment of the Backdoor.Turn payload, which then abuses anonymous visitor tokens to connect to Microsoft Teams relay servers.
  • Steam Malware: Malicious code is embedded in popular Wallpaper Engine projects shared on Steam Workshop, targeting users who install these "live wallpapers."

Payload Behavior

  • RaaS (INC): Uses a Rust-based encryptor to lock files on both Windows and Linux/ESXi systems, executing a double-extortion model (encryption + data leak).
  • SmartRAT: A PowerShell-based banking trojan. Its key capabilities include intercepting and manipulating QR codes used for banking authentication and establishing encrypted C2 communications.
  • Backdoor.Turn: A custom Go-written RAT. Its primary function is to proxy all malicious C2 traffic through legitimate Microsoft Teams TURN servers, making it appear as standard Microsoft traffic.
  • Steam Infostealers (Lumma, Vidar): Once a wallpaper is executed, these payloads harvest system information, browser cookies, saved credentials, and cryptocurrency wallet data.

C2 Communication

  • General RaaS: Communicates with traditional C2 domains and IPs (e.g., 185.196.9.234, leadslaw.com). INC also operates .onion sites for victim negotiation.
  • SmartRAT: Uses encrypted C2 channels.
  • Backdoor.Turn: Abuses Microsoft Teams' infrastructure. Traffic is routed through Teams TURN relay servers, masquerading as legitimate *.teams.microsoft.com or related traffic.
  • Steam Malware: May use cloud storage URLs (e.g., Dropbox, Google Drive) for payload delivery, as seen in IOCs.

Persistence Mechanism

  • General: Scheduled tasks, registry run keys, and DLL side-loading are common across these campaigns. DragonForce specifically employs vulnerable drivers (BYOVD) for persistence and defense evasion.
  • Steam Malware: Persists by installing as part of the Wallpaper Engine, a trusted application that runs at system startup.

Anti-Analysis Techniques

  • RaaS (INC): The use of a Rust-based encryptor significantly increases the complexity of static analysis and reverse engineering.
  • General: Many payloads are packed or crypters like Tomb are used to obfuscate the final malware.

IOC Analysis

The provided OTX pulses yield a rich set of Indicators of Compromise (IOCs) that SOC teams can operationalize.

  • Domain Names & URLs: Typosquatted domains (e.g., crefisa.online), RaaS negotiation sites (e.g., incblog.su, *.onion), and payload delivery URLs (e.g., dropbox.com, docs.google.com). These should be blocked at the perimeter and DNS level.
  • File Hashes (MD5, SHA1, SHA256): A large number of hashes for droppers, downloaders, and final payloads (e.g., f0b3e112ce4807a28e2b5d66a840ed7f). These are for use in EDR, antivirus, and SIEM correlation searches to find malicious files on endpoints.
  • IP Addresses: C2 server IPs like 185.196.9.234 and 162.141.111.227. These are suitable for firewall and network device blocklists.
  • CVEs: References to CVEs (e.g., CVE-2023-36036, CVE-2025-61155) point to specific vulnerabilities exploited for initial access or privilege escalation. These should be tracked in vulnerability management programs.

SOC Operationalization:

  1. Blocklists: Immediately add domains, URLs, and IPs to firewall, proxy, and DNS blocklists.
  2. EDR / AV Signature Creation: Create detections for the provided file hashes.
  3. SIEM Correlation: Ingest IOCs into the SIEM to correlate with endpoint, network, and authentication logs. Search for matches in DeviceFileEvents (for hashes) and DeviceNetworkEvents (for domains/IPs).

Detection Engineering

Sigma Rules

YAML
---
title: Potential SmartRAT ClickFix PowerShell Execution
description: Detects PowerShell commands often associated with the SmartRAT "ClickFix" campaign, which uses fake CAPTCHA and BSOD prompts to trick users into execution.
author: Security Arsenal
date: 2026/06/18
references:
  - https://otx.alienvault.com/pulse/667... # ClickFix Pulse
status: experimental
tags:
  - attack.defense_evasion
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - \powershell.exe
      - \pwsh.exe
    CommandLine|contains:
      - 'Invoke-Expression'
      - 'IEX'
    CommandLine|contains:
      - 'CAPTCHA'
      - 'BSOD'
      - 'ClickFix'
      - 'Blue Screen'
      - 'Verify you are human'
  condition: selection
falsepositives:
  - Legitimate PowerShell scripts with similar strings (low likelihood)
level: high
---
title: Suspicious Microsoft Teams Relay Network Traffic
description: Detects unusual network connections to Microsoft Teams-related infrastructure from a process not typically associated with Teams, potentially indicating Backdoor.Turn C2 activity.
author: Security Arsenal
date: 2026/06/18
references:
  - https://otx.alienvault.com/pulse/668... # DragonForce Pulse
status: experimental
tags:
  - attack.command_and_control
  - attack.t1071.004
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|endswith:
      - '.relay.microsoft.com'
      - '.teams.microsoft.com'
    Initiated: 'true'
  filter:
    Image|endswith:
      - '\ms-teams.exe'
      - '\teams.exe'
      - '\Microsoft.Teams.exe'
  condition: selection and not filter
falsepositives:
  - Other legitimate Microsoft applications using Teams infrastructure (rare)
level: high
---
title: Steam Wallpaper Engine Suspicious File Creation
description: Detects suspicious file creation events within the Steam Wallpaper Engine directory tree, which could indicate a malicious wallpaper dropping a payload like Lumma or Vidar.
author: Security Arsenal
date: 2026/06/18
references:
  - https://otx.alienvault.com/pulse/669... # Steam Pulse
status: experimental
tags:
  - attack.initial_access
  - attack.t1192
logsource:
  category: file_create
  product: windows
detection:
  selection:
    TargetFilename|contains: '\steamapps\common\wallpaper_engine\'
    TargetFilename|endswith:
      - '.exe'
      - '.dll'
      - '.bat'
      - '.ps1'
  filter:
    TargetFilename|contains: '\projects\' # Project files are expected
  condition: selection and not filter
falsepositives:
  - Legitimate, user-installed projects or plugins (verify)
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for indicators from the OTX pulses: domains, IPs, and file hashes
let DomainIOCs = dynamic(["leadslaw.com", "incblog.su", "crefisa.online", "windowsupdate-cdn.com"]);
let IPOCs = dynamic(["185.196.9.234", "162.141.111.227"]);
let FileHashIOCs = dynamic(["f0b3e112ce4807a28e2b5d66a840ed7f", "333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c", "6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141", "297eb45f028d44d750297d2f932b9c91"]);
// 1. Network connections to known C2 domains/IPs
DeviceNetworkEvents
| where RemoteUrl in (DomainIOCs) or RemoteIP in (IPOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend AlertDetails = "Network connection to known IOC from OTX Pulse"
| union (
    // 2. File creation or modification events for known malicious hashes
    DeviceFileEvents
    | where SHA256 in (FileHashIOCs) or MD5 in (FileHashIOCs) or SHA1 in (FileHashIOCs)
    | project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, SHA256
    | extend AlertDetails = "File with known malicious hash detected from OTX Pulse"
)
| union (
    // 3. Process creation events with IOCs in the command line or from known hashes
    DeviceProcessEvents
    | where ProcessCommandLine has_any (DomainIOCs) or SHA256 in (FileHashIOCs) or MD5 in (FileHashIOCs) or SHA1 in (FileHashIOCs)
    | project Timestamp, DeviceName, AccountName, ProcessCommandLine, ImagePath, SHA256
    | extend AlertDetails = "Process execution related to OTX Pulse IOCs"
)

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for artifacts associated with OTX pulses (SmartRAT, DragonForce, Steam malware).
.DESCRIPTION
    This script searches for scheduled tasks, registry keys, file paths, and network connections
    that may indicate compromise by the malware families discussed in the intelligence briefing.
#>

Write-Host "Starting threat hunt based on OTX Pulse data..." -ForegroundColor Cyan

# 1. Hunt for suspicious scheduled tasks (common for persistence)
Write-Host "\n[+] Checking for suspicious scheduled tasks..." -ForegroundColor Yellow
$SuspiciousTaskNames = @("*update*", "*system*", "*driver*")
$Tasks = Get-ScheduledTask | Where-Object {$_.TaskName -like $SuspiciousTaskNames -and $_.State -eq 'Ready'}
if ($Tasks) {
    foreach ($Task in $Tasks) {
        $Action = $Task.Actions.Execute
        $Arguments = $Task.Actions.Arguments
        Write-Host "Suspicious Task Found: $($Task.TaskName)" -ForegroundColor Red
        Write-Host "  Action: $Action $Arguments"
    }
} else { Write-Host "  No suspicious tasks found." -ForegroundColor Green }

# 2. Hunt for malicious registry autoruns (persistence)
Write-Host "\n[+] Checking for suspicious registry autoruns..." -ForegroundColor Yellow
$RunPaths = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)
foreach ($Path in $RunPaths) {
    if (Test-Path $Path) {
        $Items = Get-ItemProperty -Path $Path -ErrorAction SilentlyContinue
        if ($Items) {
            foreach ($Item in $Items.PSObject.Properties) {
                if ($Item.Name -notmatch "PSChildName|PSProvider|PSParentPath") {
                    $Value = $Item.Value
                    if ($Value -like "*powershell*" -or $Value -like "*http*" -or $Value -like "*.tmp") {
                        Write-Host "Suspicious Run Key in $Path:" -ForegroundColor Red
                        Write-Host "  Name: $($Item.Name)"
                        Write-Host "  Value: $Value"
                    }
                }
            }
        }
    }
}

# 3. Hunt for known Steam Wallpaper Engine malware paths (file system)
Write-Host "\n[+] Checking for Steam Wallpaper Engine related files..." -ForegroundColor Yellow
$SteamPath = "$env:ProgramFiles (x86)\Steam\steamapps\common\wallpaper_engine"
if (Test-Path $SteamPath) {
    Write-Host "  Wallpaper Engine is installed." -ForegroundColor Cyan
    # This is a basic check; a deeper scan would look for new/unknown executables in the projects folder
    Get-ChildItem -Path $SteamPath -Recurse -Filter "*.exe" -ErrorAction SilentlyContinue | 
        Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-30)} | 
        Select-Object FullName, LastWriteTime | 
        Format-Table
} else { Write-Host "  Wallpaper Engine not found." -ForegroundColor Green }

# 4. Hunt for established network connections to suspicious IPs (requires admin)
Write-Host "\n[+] Checking for established network connections to known IOCs..." -ForegroundColor Yellow
$SuspiciousIPs = @("185.196.9.234", "162.141.111.227")
try {
    $Connections = Get-NetTCPConnection -State Established -ErrorAction Stop
    foreach ($IP in $SuspiciousIPs) {
        $Matches = $Connections | Where-Object {$_.RemoteAddress -eq $IP}
        if ($Matches) {
            foreach ($Conn in $Matches) {
                $Process = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
                Write-Host "Connection to suspicious IP $IP found!" -ForegroundColor Red
                Write-Host "  Local Port: $($Conn.LocalPort), Remote Port: $($Conn.RemotePort)"
                Write-Host "  Process ID: $($Conn.OwningProcess), Process Name: $($Process.ProcessName)"
                Write-Host "  Process Path: $($Process.Path)"
            }
        }
    }
} catch { Write-Host "  Could not enumerate network connections. Run as Administrator." -ForegroundColor DarkYellow }

Write-Host "\nThreat hunt complete." -ForegroundColor Cyan


---

# Response Priorities

*   **Immediate (0-24h):**
    *   Block all provided IOCs (domains, IPs, file hashes) at the network perimeter, on endpoints, and in email gateways.
    *   Hunt for and contain any endpoints that have communicated with the identified C2 infrastructure or executed the file hashes.
    *   Isolate any systems showing signs of SmartRAT or DragonForce activity to prevent lateral movement and data exfiltration.

*   **24h:**
    *   Conduct a focused credential audit for any user accounts that may have been compromised on systems where infostealers (Lumma, Vidar, SmartRAT) were detected. Force password resets and enable MFA for all affected accounts.
    *   Initiate a forensic investigation on compromised systems to determine the scope of the breach and identify the initial access vector.

*   **1 week:**
    *   Patch all systems against the CVEs mentioned (e.g., CVE-2023-36036, CVE-2025-61155) and conduct a broader vulnerability assessment.
    *   Implement application allowlisting policies to prevent the execution of unauthorized software, especially from non-standard locations like the Steam Workshop or via PowerShell scripts from the internet.
    *   Review and restrict access to Microsoft Teams for unauthenticated or guest users to mitigate the risk of abuse by groups like DragonForce.

---

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsransomwareinfostealersmartratrhysidadragonforce

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action