Operational Alert: Interlock, Rhysida, and UNC6240 Campaigns — Gremlin Stealer & Critical Exploit Detection Pack

Threat Summary

Recent OTX pulse data indicates a convergence of high-efficacy threat activity targeting enterprise infrastructure and sensitive credentials. The landscape is dominated by the resurgence of the Interlock and Rhysida ransomware ecosystems (associated with threat actor Hive0163), utilizing sophisticated loaders like MintLoader and custom RATs such as NodeSnake. Simultaneously, the Gremlin Stealer campaign has evolved to employ commercial-grade packing and instruction virtualization to evade detection, focusing on browser session hijacking and credential theft.

In parallel, nation-state aligned actors are actively exploiting critical infrastructure. UNC6240 (ShinyHunters) is leveraging a zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft to deploy MeshCentral for persistence, while UAT-8616 is exploiting Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182) to deploy webshells (Godzilla, XenShell) and cryptominers. The upcoming FIFA World Cup 2026 is also serving as a lure for phishing campaigns.

Threat Actor / Malware Profile

Gremlin Stealer

• Distribution: Trojanized installers and malicious attachments leveraging commercial packing utilities.
• Payload Behavior: Steals sensitive information including payment card details, browser data, and session tokens. Executes via a private virtual machine (instruction virtualization) to hide code logic.
• C2 Communication: Encrypted HTTP/HTTPS traffic; exfiltration to actor-controlled servers.
• Persistence: Unknown in this specific pulse, but typically via scheduled tasks or registry run keys.
• Anti-Analysis: Heavy obfuscation via resource file hiding and custom bytecode execution.

Hive0163 (Interlock/Rhysida)

• Distribution: SEO poisoning (GootLoader), fake software updates, and trojanized installers.
• Payload Behavior: Deploys InterlockRAT, NodeSnake, and SystemBC. Ends with Rhysida or Interlock ransomware encryption.
• C2 Communication: Uses SystemBC as a proxy to route traffic, masking C2 infrastructure.
• Persistence: Scheduled tasks and service installation.
• Anti-Analysis: Uses junk code and custom downloaders (JunkFiction).

UNC6240 (ShinyHunters)

• Distribution: Exploitation of CVE-2026-35273 in Oracle PeopleSoft Environment Management component.
• Payload Behavior: Establishes remote access via MeshCentral agent (agent.ashx).
• C2 Communication: Connects to azurenetfiles.net on port 443.
• Persistence: Webshell or legitimate remote management tool abuse.
• Anti-Analysis: Uses vulnerable web application parameters to blend in with legitimate traffic.

IOC Analysis

The provided indicators encompass a wide attack surface:

• File Hashes (SHA256/MD5): Numerous hashes for Gremlin Stealer, XenShell, and loaders. These should be blocked in EDR solutions and used for retro-hunting.
• Domains: leadslaw.com (Interlock infrastructure), fifaticket2026vip.com (World Cup phishing), and azurenetfiles.net (UNC6240 C2). These require immediate DNS sinkholing or firewall blocking.
• CVEs: Critical focus on CVE-2026-35273 (Oracle), CVE-2026-20182 (Cisco), and CVE-2023-36036.
• IPs: 176.120.22.24 (MeshCentral C2) and 185.196.9.234 (Interlock). Block at the perimeter.

SOC Operationalization:

1. EDR: Import SHA256 hashes into allow/block lists. Initiate scans for the specific filenames (e.g., agent.ashx logs).
2. SIEM: Create alerts for DNS requests to the listed domains and outbound connections to the listed IPs.
3. Network: Inspect traffic for MeshCentral anomalies on azurenetfiles.net.

Detection Engineering

Sigma Rules

title: Potential UNC6240 MeshCentral C2 Activity
id: 8a1b2c3d-4e5f-6789-0a1b-2c3d4e5f6789
description: Detects network connections or process execution associated with UNC6240 MeshCentral infrastructure observed in Oracle PeopleSoft attacks.
status: experimental
date: 2026/06/16
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
definition: 'selection:
    DestinationHostname|contains:
        - azurenetfiles.net
    DestinationPort: 443
condition: selection
falsepositives:
    - Legitimate MeshCentral usage (verify against asset inventory)
level: high
---
title: Gremlin Stealer Obfuscated Payload Execution
id: 9b2c3d4e-5f6a-7890-1b2c-3d4e5f6789ab
description: Detects process execution patterns indicative of instruction virtualization or heavy packing often used by Gremlin Stealer variants.
status: experimental
date: 2026/06/16
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.defense_evasion
    - attack.t1027
logsource:
    category: process_creation
definition: 'selection:
    Image|endswith:
        - .exe
    CommandLine|contains:
        - -enc
        - -w hidden
    Company|isnull
condition: selection
falsepositives:
    - Legitimate administrative scripts
level: medium
---
title: Interlock/Rhysida SystemBC Proxy Activity
id: 0c3d4e5f-6a7b-8901-2c3d-4e5f6789abcd
description: Detects potential SystemBC proxy usage associated with Hive0163 and Rhysida ransomware operations.
status: experimental
date: 2026/06/16
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.command_and_control
    - attack.t1090.002
logsource:
    category: network_connection
definition: 'selection:
    Initiated: true
    Image|endswith:
        - svchost.exe
        - rundll32.exe
    DestinationPort:
        - 80
        - 443
        - 8080
condition: selection
falsepositives:
    - Windows Update or standard system traffic
level: low

KQL (Microsoft Sentinel)

// Hunt for MeshCentral C2 and Domain indicators
let IOCs = dynamic(["azurenetfiles.net", "leadslaw.com", "fifaticket2026vip.com", "185.196.9.234", "176.120.22.24"]);
DeviceNetworkEvents
| where RemoteUrl has_any (IOCs) or RemoteIP has_any (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend AlertContext = pack_all()

PowerShell Hunt Script

<#
.SYNOPSIS
    IOC Hunt Script for OTX Pulses (2026-06-16)
.DESCRIPTION
    Scans the file system for specific SHA256 hashes associated with Gremlin Stealer, XenShell, and UNC6240 payloads.
#>

$TargetHashes = @(
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f",
    "2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35"
)

Write-Host "[+] Starting hunt for malicious file hashes..."

Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
Where-Object { !$_.PSIsContainer } | 
ForEach-Object {
    $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($TargetHashes -contains $Hash) {
        Write-Host "[!] MATCH FOUND: $($_.FullName) | Hash: $Hash" -ForegroundColor Red
    }
}
Write-Host "[+] Scan complete."

Response Priorities

• Immediate: Block all listed domains (azurenetfiles.net, leadslaw.com, fifaticket2026vip.com) and IPs at the firewall. Patch Oracle PeopleSoft (CVE-2026-35273) and Cisco Catalyst SD-WAN (CVE-2026-20182) immediately.
• 24h: Run the PowerShell hunt script on critical endpoints. Investigate any outbound connections to MeshCentral infrastructure or SystemBC proxies. Force password resets for accounts active on endpoints where Gremlin Stealer is suspected.
• 1 week: Review Oracle PeopleSoft and Cisco SD-WAN access logs for the period of exploitation (May 27 - June 16). Implement application-specific allow-listing for web application firewalls (WAF) to block webshell upload patterns (Godzilla/XenShell).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub