Recent investigations have unveiled significant connections between two notorious ransomware groups, Interlock and Rhysida. Both groups have been found to utilize a common backdoor, known as Supper, and share elements of their malware codebase, highlighting a deeper link than previously recognized.
Interlock’s Custom-Built Arsenal
The Interlock group, also known as Hive0163, has been actively deploying ransomware since September 2024. Unlike other operations that offer ransomware tools to affiliates, Interlock maintains a proprietary arsenal including tools such as NodeSnake, InterlockRAT, and the JunkFiction downloader. This approach underscores their preference for internal control over their malicious activities.
Rhysida, in contrast, operates as a Ransomware-as-a-Service (RaaS) platform, having been active since at least May 2023. This model allows external actors to leverage Rhysida’s tools for their own attacks, broadening the group’s impact across various sectors.
IBM X-Force Findings
In an extensive report shared with Cyber Security News, analysts from IBM X-Force detailed the connections between these two groups. Their two-year investigation revealed that both groups heavily rely on the Supper backdoor, also referred to as SocksShell or WINDYTWIST. This backdoor has been a consistent element in confirmed incidents linked to both ransomware operations.
By the close of 2025, each group had approximately 80 victims, primarily in the United States, affecting critical sectors such as healthcare, education, and government. This shared use of a private backdoor suggests either a common development source or a controlled exchange of code between trusted cybercriminal entities.
Technical Overlaps and Implications
Technical analyses by IBM X-Force highlighted structural similarities in the malware families used by both Interlock and Rhysida. Supper’s role in these operations is central, as it was initially identified in July 2024. Its functions include maintaining system access, creating encrypted tunnels, and executing remote shell commands, features that closely resemble those of InterlockRAT.
Further examination showed that NodeSnake, utilized by Interlock, shares code logic with the JunkFiction downloader and InterlockRAT, reinforcing the theory of a shared developer origin. This commonality extends to newer tools like ModeloRAT, which integrates elements from NodeSnake’s code structure.
Attack Methods and Defensive Measures
Both ransomware groups exploit trojanized software installers to infiltrate victim networks. They create fake download pages for popular software like Microsoft Teams to deceive users into executing malicious files. These installers often carry fraudulent code-signing certificates purchased from cybercrime forums, enabling them to bypass standard security measures.
Once inside a network, attackers use traffic distribution networks to channel victims towards payload delivery through methods like ClickFix-style attacks. The groups also employ systems such as TAG-124 and Gootloader to manage post-compromise activities, ensuring thorough network infiltration before deploying ransomware.
Organizations should bolster their defenses by monitoring for unusually signed executables, scrutinizing unexpected remote management software usage, and treating suspicious browser prompts as high-priority threats.
The findings underscore the importance of vigilance and advanced threat detection to combat evolving ransomware tactics. As cybercriminals continue to refine their strategies, staying informed and prepared is crucial for safeguarding sensitive information and infrastructure.
