Current OTX Pulse data indicates a surge in high-impact threat activity targeting US critical infrastructure and educational sectors. Three distinct but equally critical campaigns are active:
-
RaaS Ecosystem Evolution: The Hive0163 (Interlock) and Rhysida groups continue to aggressively target broad US industries (Aerospace, Gov, Finance) using updated custom toolsets, including
NodeSnake,InterlockRAT, and theSystemBCSOCKS proxy. These groups are leveraging trojanized installers and known exploits (e.g., CVE-2023-36036) for initial access. -
Critical Infrastructure Exploitation: A sophisticated actor, UAT-8616, is actively exploiting Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182, CVE-2026-20133). Successful exploitation leads to the deployment of webshells (
Godzilla,Behinder) and cryptocurrency miners (XMRig), signaling a shift toward monetizing infrastructure access. -
Education Sector Zero-Day: UNC6240 (ShinyHunters) has conducted a widespread extortion campaign against Higher Education, exploiting a zero-day vulnerability in Oracle PeopleSoft (CVE-2026-35273) prior to the vendor patch. The actors utilize
MeshCentralfor C2 and lateral movement.
Collectively, these pulses demonstrate a trend of pre-patch exploitation and the weaponization of legitimate management tools (MeshCentral) and edge infrastructure (SD-WAN).
Threat Actor / Malware Profile
Hive0163 (Interlock) & Rhysida
- Distribution: Trojansized software installers, SEO poisoning (GootLoader/SocGholish).
- Payload:
NodeSnake(Linux/Windows RAT),InterlockRAT,JunkFictiondownloader. - C2 & Persistence: Uses
SystemBCfor traffic tunneling and proxying.RhysidaemploysBroomstickandTombcrypters to evade detection. - Objective: Data exfiltration followed by double-extortion ransomware deployment.
UAT-8616
- Method: Exploitation of edge networking devices (Cisco Catalyst SD-WAN).
- Payload: Webshells (
Godzilla,Behinder) for persistent access,XMRigfor resource hijacking. - Behavior: Leverages authentication bypass to gain administrative privileges, then deploys webshells to maintain access within the compromised management plane.
UNC6240 (ShinyHunters)
- Method: Exploitation of web-facing applications (Oracle PeopleSoft Environment Management).
- Tooling:
MeshCentral(a legitimate remote management tool abused for C2). - Objective: Data theft and extortion. The group exploits the window of time between vulnerability discovery and vendor patch release (Zero-day).
IOC Analysis
The provided pulses contain actionable indicators across multiple vectors:
- Network Infrastructure: IPs
185.196.9.234and176.120.22.24and domainsleadslaw.comandazurenetfiles.netserve as C2 nodes or payload delivery servers. SOC teams should block these at the perimeter and firewalls immediately. - File Hashes: Numerous MD5, SHA1, and SHA256 hashes correspond to malware loaders (
MintLoader), webshells, and theMeshCentralagent. These should be integrated into EDR detection rules and scanned against historical data. - CVEs: The criticality lies in the CVEs:
- CVE-2026-35273: Oracle PeopleSoft RCE (CVSS 9.8).
- CVE-2026-20182 / CVE-2026-20133: Cisco SD-WAN Auth Bypass / RCE.
- CVE-2023-36036: Microsoft SharePoint RCE (associated with Interlock).
Operational Guidance: Use automated threat intelligence platforms (TIPs) to ingest these hashes. For network indicators, leverage DNS sinkholing for the domains to identify infected hosts attempting to phone home.
Detection Engineering
YAML
---
title: Potential MeshCentral C2 Activity
id: 89a3c4d2-5b6e-4a7f-9c1d-2e3f5a6b7c8d
description: Detects processes associated with MeshCentral agent making network connections, often used by UNC6240.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
- https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith:
- '\node.exe'
- '\meshcentral.exe'
DestinationPort:
- 443
condition: selection
falsepositives:
- Legitimate MeshCentral administration usage
level: high
---
title: Suspicious Webshell Process Spawn (Cisco SD-WAN / Godzilla)
id: 72b1c5d9-8e4f-3b6a-0d2e-1f4e6a7b8c9d
description: Detects web server processes spawning shells or suspicious utilities, indicative of webshell activity like Godzilla/Behinder on infrastructure devices.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
- https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
tags:
- attack.execution
- attack.t1059.001
- attack.t1505.003
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith:
- '/java'
- '/vshelld'
- '/nginx'
Image|endswith:
- '/sh'
- '/bash'
- '/perl'
- '/python'
condition: selection
falsepositives:
- Legitimate administrative scripting via web interface
level: critical
---
title: Interlock/Rhysida SystemBC Proxy Execution
id: 10e9f8a7-6d5c-4b3e-2a1f-3c4d5e6f7g8h
description: Detects execution patterns associated with SystemBC proxy tooling often used by Hive0163 and Rhysida actors.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
- https://www.ibm.com/think/x-force/interlock-and-rhysida-within-the-ransonware-ecosystem
tags:
- attack.command_and_control
- attack.t1090.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\rundll32.exe'
- '\regsvr32.exe'
selection_cli:
CommandLine|contains:
- 'SystemBC'
- '-socks'
- '127.0.0.1:'
condition: all of selection*
falsepositives:
- Rare; legitimate software does not typically use these flags
level: high
kql
// Hunt for specific network IOCs from OTX Pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("leadslaw.com", "azurenetfiles.net")
or RemoteIP in ("185.196.9.234", "176.120.22.24")
| extend ThreatContext = case(
RemoteUrl has "leadslaw.com", "Interlock/Rhysida C2",
RemoteUrl has "azurenetfiles.net", "UNC6240 MeshCentral C2",
"Known Malicious IP")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, ThreatContext
// Hunt for File Hashes (MeshCentral, Webshells, RATs)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (
"333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c", // InterlockRAT
"d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa", // Webshell/XenShell
"c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f" // MeshCentral Agent
)
| project Timestamp, DeviceName, FileName, ProcessCommandLine, SHA256, InitiatingProcessAccountName
powershell
# IOC Hunt Script - Interlock, Rhysida, and ShinyHunters Indicators
# Requires Administrative Privileges
$MaliciousHashes = @(
"333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c",
"d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
"c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f",
"2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35"
)
$Domains = @("leadslaw.com", "azurenetfiles.net")
Write-Host "[+] Checking for MeshCentral Persistence..."
$MeshPath = "C:\Program Files\MeshCentral"
if (Test-Path $MeshPath) {
Write-Host "[!] WARNING: MeshCentral installation found at $MeshPath" -ForegroundColor Red
}
Write-Host "[+] Checking Hosts File for Malicious Domains..."
$HostsPath = "$env:windir\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
$Content = Get-Content $HostsPath
foreach ($Domain in $Domains) {
if ($Content -match $Domain) {
Write-Host "[!] WARNING: $Domain found in hosts file." -ForegroundColor Red
}
}
}
Write-Host "[+] Scanning for specific file hashes in common download directories..."
$Paths = @("$env:USERPROFILE\Downloads", "$env:TEMP", "$env:APPDATA")
foreach ($Path in $Paths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$Hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
if ($Hash.Hash -in $MaliciousHashes) {
Write-Host "[!] CRITICAL: Malicious file found: $($_.FullName)" -ForegroundColor Red
}
}
}
}
Write-Host "[+] Checking for SystemBC related Registry Run Keys..."
$RunKeys = @("HKLM:\Software\Microsoft\Windows\CurrentVersion\Run", "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run")
foreach ($Key in $RunKeys) {
if (Test-Path $Key) {
Get-ItemProperty $Key -ErrorAction SilentlyContinue | ForEach-Object {
if ($_.PSObject.Properties.Value -match "SystemBC" -or $_.PSObject.Properties.Value -match "node.exe") {
Write-Host "[!] Suspicious persistence found in $Key" -ForegroundColor Yellow
}
}
}
}
# Response Priorities
Immediate
- Network Blocking: Block all identified IOCs (IPs
185.196.9.234,176.120.22.24; Domainsleadslaw.com,azurenetfiles.net) at perimeter firewalls and proxies. - Patch Management: Apply emergency patches for CVE-2026-35273 (Oracle PeopleSoft) and CVE-2026-20182 (Cisco SD-WAN) immediately. If patching is not possible, isolate vulnerable management interfaces from the internet.
24 Hours
- Threat Hunting: Run the provided PowerShell and KQL scripts across the fleet to identify compromised endpoints or active C2 channels.
- Education Sector: If in the Education sector, audit Oracle PeopleSoft logs for the dates May 27 – June 9, 2026, specifically looking for exploitation of the Environment Management component.
1 Week
- Architecture Review: Review SD-WAN controller access logs. Ensure admin interfaces are not exposed to the public internet. Implement MFA for all management planes.
- Compromise Assessment: Engage in a full compromise assessment for any organization showing indicators of
MeshCentralorSystemBCusage, as these imply deep persistence and potential data exfiltration.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptinterlock-ratrhysida-ransomwareshinyhunterscve-2026-35273meshcentral
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.