Back to Intelligence

Rhysida, DragonForce & ShinyHunters: Multi-Vector Ransomware & Extortion Campaigns — OTX Pulse Analysis

SA
Security Arsenal Team
June 17, 2026
7 min read

Recent OTX pulse data indicates a coordinated surge in high-profile ransomware and extortion campaigns targeting the United States. The intelligence identifies three distinct but equally concerning threat actors: Hive0163 (Interlock) and Rhysida, DragonForce, and UNC6240 (ShinyHunters).

Collectively, these groups demonstrate a shift towards sophisticated "living-off-the-land" techniques and zero-day exploitation to bypass traditional defenses. Hive0163 and Rhysida are utilizing an ecosystem of custom malware, including NodeSnake and InterlockRAT, delivered via trojanized installers. Simultaneously, DragonForce has pioneered a novel technique abusing Microsoft Teams relay infrastructure to hide C2 traffic within trusted corporate environments. Lastly, UNC6240 is actively exploiting a critical zero-day (CVE-2026-35273) in Oracle PeopleSoft to breach the education sector.

Primary Objectives:

  • Data Extortion & Ransomware: Encryption of critical assets for financial leverage.
  • Stealth & Persistence: Using trusted applications (Teams) and legitimate software vulnerabilities (PeopleSoft) to remain undetected.
  • Lateral Movement: Establishing footholds via custom RATs (MeshCentral, InterlockRAT) to move laterally across networks.

Threat Actor / Malware Profile

1. Hive0163 (Interlock) & Rhysida

  • Distribution: Trojanized software installers and SEO-poisoned downloads.
  • Payload Behavior: Utilizes a complex malware chain involving NodeSnake (modular backdoor), InterlockRAT (remote access), and Supper (downloader). They also employ JunkFiction and Tomb crypter to obfuscate payloads.
  • C2 Communication: Encrypted HTTP/HTTPS channels to bespoke infrastructure; abuse of cloud storage for staging.
  • Persistence: Scheduled tasks and registry run keys; service registration.
  • Anti-Analysis: Heavy use of custom crypters (Tomb) and junk code to evade static analysis.

2. DragonForce

  • Distribution: Initial access via credential theft or exploitation of vulnerable drivers (BYOVD).
  • Payload Behavior: Deploys Backdoor.Turn, a Go-based RAT, designed to tunnel traffic through legitimate protocols.
  • C2 Communication: Abuses Microsoft Teams TURN (Traversal Using Relays around NAT) servers to mask malicious traffic as legitimate Microsoft collaboration data.
  • Persistence: DLL side-loading technique using legitimate applications to load malicious payloads.
  • Anti-Analysis: Uses drivers (CVE-2025-61155) to terminate security processes (EDR killing).

3. UNC6240 (ShinyHunters)

  • Distribution: Exploitation of web-facing applications (Oracle PeopleSoft).
  • Payload Behavior: Deploys MeshCentral, a legitimate remote administration tool, for command and control and lateral movement.
  • C2 Communication: Standard web protocols (HTTP/HTTPS) to domains like azurenetfiles.net.
  • Persistence: Web shells planted on compromised servers; scheduled tasks for MeshCentral agents.
  • Anti-Analysis: Uses legitimate tools (MeshCentral) to blend in with normal administrative traffic.

IOC Analysis

The provided indicators include a mix of network infrastructure, file artifacts, and vulnerability identifiers:

  • Domains & URLs: leadslaw.com, azurenetfiles.net. These are likely C2 servers or payload distribution points. SOC teams should immediately block these at the proxy/DNS level.
  • IP Addresses: 185.196.9.234, 176.120.22.24. Operationalize by implementing firewall blocks and searching firewall/SIEM logs for any historical connections.
  • File Hashes (SHA256/MD5): A significant number of hashes (e.g., 333903c7..., 8a403342...) correspond to the Droppers, RATs (NodeSnake), and Encryptors. Use EDR endpoint search capabilities to hunt for these specific hashes on disk or in memory.
  • CVEs: CVE-2026-35273 (Oracle PeopleSoft RCE), CVE-2025-61155 (Vulnerable Driver), CVE-2023-36036. These indicate the specific attack vectors. Patching is the primary remediation, but detection of exploitation attempts is critical.

Tooling for Decoding:

  • VirusTotal / Hybrid Analysis: For file hash detonation.
  • Cortex / MISP: For IOC enrichment and management.
  • Wireshark: To analyze network traffic patterns for Teams relay anomalies.

Detection Engineering

YAML
---
title: Potential Exploitation of CVE-2026-35273 Oracle PeopleSoft
id: d17d4e9a-1234-5678-9101-1234567890ab
description: Detects potential exploitation of Oracle PeopleSoft Environment Management component via suspicious process spawning patterns.
status: experimental
date: 2026/06/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/666e5b1b92f23856301234ab
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2026.35273
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\psadmin.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Legitimate administrative tasks by IT staff
level: high
---
title: Suspicious Microsoft Teams Relay Traffic (DragonForce)
id: b29c5f8b-9876-5432-1098-7654321098cd
description: Detects suspicious child processes spawned by Microsoft Teams or connections to non-Microsoft infrastructure from Teams context, indicating potential relay abuse.
status: experimental
date: 2026/06/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/666e5b1b92f23856301234ac
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection_img:
        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
    selection_conn:
        DestinationPort: 443
        Initiated: 'true'
    filter_legit_msft:
        DestinationHostname|contains:
            - '.microsoft.com'
            - '.office.com'
            - '.skype.com'
            - '.azure.net'
    condition: selection_img and selection_conn and not filter_legit_msft
falsepositives:
    - Rare legitimate plugins interacting with external APIs directly
level: critical
---
title: Rhysida InterlockRAT Execution Pattern
id: a30d6g9c-8765-4321-0987-6543210987ba
description: Detects execution patterns associated with InterlockRAT and JunkFiction downloader often used by Rhysida/Hive0163.
status: experimental
date: 2026/06/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/666e5b1b92f23856301234aa
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\msiexec.exe'
            - '\7zFM.exe'
            - '\winrar.exe'
    selection_child:
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
        CommandLine|contains:
            - 'http://'
            - '.dll'
    condition: selection_parent and selection_child
falsepositives:
    - Software installation using archived DLLs
level: high


kql
// Hunt for DragonForce and UNC6240 Network Artifacts
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("leadslaw.com", "azurenetfiles.net") or RemoteIP in ("185.196.9.234", "176.120.22.24")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend IOCType = iff(RemoteUrl in ("leadslaw.com", "azurenetfiles.net"), "Malicious Domain", "Malicious IP")

// Hunt for Malicious File Hashes (Rhysida & DragonForce)
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in ("333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c", "8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531", "c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f", "048e18416177de2ead251abdf4d89837f6807c6aba4d5b7debe49adfdecbf05c")
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName


powershell
# IOC Hunt Script for Active Threats (Rhysida, DragonForce, ShinyHunters)
# Requires Administrative Privileges

Write-Host "[*] Initiating Hunt for Active Threats..." -ForegroundColor Cyan

# 1. Check for Network Connections to Malicious IPs/Domains
$MaliciousIPs = @("185.196.9.234", "176.120.22.24")
$MaliciousDomains = @("leadslaw.com", "azurenetfiles.net")

Write-Host "[*] Checking Active Network Connections..." -ForegroundColor Yellow
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

foreach ($conn in $connections) {
    $process = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
    if ($process) {
        $remoteIP = (Get-NetIPAddress -ErrorAction SilentlyContinue | Where-Object { $_.Address -eq $conn.RemoteAddress })
        if ($MaliciousIPs -contains $conn.RemoteAddress) {
            Write-Host "[!] ALERT: Connection to Malicious IP $($conn.RemoteAddress) detected via process $($process.ProcessName)" -ForegroundColor Red
        }
    }
}

# 2. Check for File Presence (Limited Sample)
$TargetHashes = @(
    "333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c",
    "8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531"
)

Write-Host "[*] Scanning common payload directories..." -ForegroundColor Yellow
$paths = @("$env:TEMP", "$env:APPDATA", "C:\Windows\Temp")

foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $fileHash) {
                Write-Host "[!] ALERT: Malicious file found at $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# 3. Check for MeshCentral Persistence (UNC6240)
Write-Host "[*] Checking for MeshCentral Persistence..." -ForegroundColor Yellow
$services = Get-WmiObject -Class Win32_Service | Where-Object { $_.Name -like "*mesh*" -or $_.PathName -like "*meshcentral*" }
if ($services) {
    Write-Host "[!] ALERT: Suspicious MeshCentral service detected: $($services.Name)" -ForegroundColor Red
}

Write-Host "[*] Hunt Complete." -ForegroundColor Green


# Response Priorities

**Immediate (0-24h):**
*   **Block IOCs:** Immediately block all listed IP addresses (`185.196.9.234`, `176.120.22.24`) and domains (`leadslaw.com`, `azurenetfiles.net`) at network edge and proxy levels.
*   **Hunt for MeshCentral:** Scan environment for unauthorized installations of MeshCentral, particularly on servers exposed to the internet.
*   **Patch CVE-2026-35273:** Identify all Oracle PeopleSoft instances and apply the patch released on June 10, 2026, immediately.

**24h - 48h:**
*   **Credential Reset:** If indicators of DragonForce (Backdoor.Turn) or Rhysida are found, force a password reset for affected accounts and rotate service account credentials.
*   **Teams Traffic Analysis:** Review Microsoft Teams logs for anomalous login activity or unusual traffic patterns originating from non-corporate IP ranges.

**1 Week:**
*   **Architecture Hardening:** Implement strict allow-listing for Microsoft Teams and other collaboration tools to prevent relay abuse.
*   **Vulnerability Management:** Conduct a rescan of internet-facing assets to ensure no other instances of the Oracle PeopleSoft vulnerability remain.
*   **EDR Tuning:** Update EDR detection rules to specifically flag the process chains identified in the Sigma rules (e.g., signed binaries spawning shells).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptransomwarezero-daydragonforcerhysidaunc6240

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action