Unmasking Interlock Group's Evolving Malware Arsenal

In July 2025, the eSentire Threat Response Unit (TRU) identified multiple sophisticated incidents believed to be attributed to the Interlock Group, a ransomware gang that has targeted organizations across North America and Europe since September 2024.

During the investigation, TRU found that the Interlock Group used a PHP-based backdoor to deploy another malicious component being referred to as “Interlock RAT” within the cybersecurity community. Despite its name, this tool functions primarily as a backdoor rather than a Remote Access Trojan (RAT), with support for several attacker-supplied commands to allow for further reconnaissance and ransomware deployment.

In this TRU Positive, we explore the TTPs of the group, including the use of ClickFix for initial access, inner workings of various backdoors, executed commands, data theft, and reconnaissance activities that contribute to a process tree so large, we recommend viewing it on a 4K monitor, or possibly a billboard.

Additionally, we provide several Python scripts available here for security researchers to automate parts of the analysis process.