News
Ransomware Gang ‘Interlock’ Embraces Sneaky ClickFix Attacks to Hijack Corporate Systems
<p class="" data-start="394" data-end="586">The Interlock ransomware gang has adopted a cunning new trick that’s catching victims off guard: impersonating IT tools to push malicious commands through something known as a ClickFix attack.</p>
<p class="" data-start="588" data-end="792">Researchers are sounding the alarm as these attacks steadily rise. The gang has now been confirmed to be using these lures to deploy their data-encrypting malware across both FreeBSD and Windows networks.</p>
<h2 class="" data-start="794" data-end="826">From Copy-Paste to Compromise</h2>
<p class="" data-start="828" data-end="1032">It starts innocently enough—an IT staffer sees a CAPTCHA screen or a tool verification page. It looks official. The next thing they know, a malicious PowerShell command has been copied to their clipboard.</p>
<p class="" data-start="1034" data-end="1075">Once that command is run? It’s game over.</p>
<p class="" data-start="1077" data-end="1175">The Interlock crew has been linked to at least four malicious URLs so far, all faking credibility:</p>
<ul data-start="1177" data-end="1364">
<li class="" data-start="1177" data-end="1226">
<p class="" data-start="1179" data-end="1226">microsoft-msteams[.]com/additional-check.html</p>
</li>
<li class="" data-start="1227" data-end="1271">
<p class="" data-start="1229" data-end="1271">microstteams[.]com/additional-check.html</p>
</li>
<li class="" data-start="1272" data-end="1316">
<p class="" data-start="1274" data-end="1316">ecologilives[.]com/additional-check.html</p>
</li>
<li class="" data-start="1317" data-end="1364">
<p class="" data-start="1319" data-end="1364">advanceipscaner[.]com/additional-check.html</p>
</li>
</ul>
<p class="" data-start="1366" data-end="1512">Only one of them actually drops the infected installer, and it’s cleverly disguised as Advanced IP Scanner—a tool commonly used in IT departments.</p>
<p data-start="1366" data-end="1512"><a href="https://www.theibulletin.com/wp-content/uploads/2025/04/advanced-ip-scanner-malware-attack-screenshot.jpg"><img class="aligncenter size-full wp-image-57229" src="https://www.theibulletin.com/wp-content/uploads/2025/04/advanced-ip-scanner-malware-attack-screenshot.jpg" alt="advanced ip scanner malware attack screenshot" width="870" height="527" /></a></p>
<h2 class="" data-start="1514" data-end="1547">What Happens Behind the Scenes</h2>
<p class="" data-start="1549" data-end="1655">The moment that PowerShell command is executed, it downloads a 36MB file that acts as a two-faced payload.</p>
<p class="" data-start="1657" data-end="1791">On one hand, it installs what looks like a real version of Advanced IP Scanner. On the other, it runs a stealthy script buried within.</p>
<p class="" data-start="1793" data-end="1835">That hidden script? It gets right to work.</p>
<ul data-start="1837" data-end="2049">
<li class="" data-start="1837" data-end="1876">
<p class="" data-start="1839" data-end="1876">Registers a Run key for persistence</p>
</li>
<li class="" data-start="1877" data-end="1939">
<p class="" data-start="1879" data-end="1939">Grabs your OS version, running tasks, user privilege level</p>
</li>
<li class="" data-start="1940" data-end="1988">
<p class="" data-start="1942" data-end="1988">Scans available drives and running processes</p>
</li>
<li class="" data-start="1989" data-end="2049">
<p class="" data-start="1991" data-end="2049">Sends all that data back to a command-and-control server</p>
</li>
</ul>
<p class="" data-start="2051" data-end="2157">There’s no pop-up, no red flags—just a browser tab showing the real tool’s website to throw off suspicion.</p>
<h2 class="" data-start="2159" data-end="2183">Payloads Get Personal</h2>
<p class="" data-start="2185" data-end="2307">Different machines get different malware. Sekoia’s threat analysts noted several payloads coming from Interlock’s servers.</p>
<p class="" data-start="2309" data-end="2357">Some of the most commonly deployed ones include:</p>
<ul data-start="2359" data-end="2648">
<li class="" data-start="2359" data-end="2413">
<p class="" data-start="2361" data-end="2413">LummaStealer – A notorious information stealer</p>
</li>
<li class="" data-start="2414" data-end="2481">
<p class="" data-start="2416" data-end="2481">BerserkStealer – Another tool used to hoover up credentials</p>
</li>
<li class="" data-start="2482" data-end="2523">
<p class="" data-start="2484" data-end="2523">Keyloggers – Your typing? Tracked</p>
</li>
<li class="" data-start="2524" data-end="2648">
<p class="" data-start="2526" data-end="2648">Interlock RAT – A flexible trojan capable of doing everything from running shell commands to dropping malicious DLLs</p>
</li>
</ul>
<p class="" data-start="2650" data-end="2761">This isn’t one-size-fits-all malware. It’s dynamic and adaptable. Whatever the machine lacks, the RAT fills in.</p>
<h2 class="" data-start="2763" data-end="2794">Lateral Moves and Final Hits</h2>
<p class="" data-start="2796" data-end="2917">Once the RAT takes hold, things escalate. Interlock doesn’t just sit back—they move laterally through corporate networks.</p>
<p class="" data-start="2919" data-end="3108">RDP, PuTTY, AnyDesk, and LogMeIn have all been spotted in their toolkit. They hunt for credentials, map the environment, and quietly exfiltrate sensitive files before locking anything down.</p>
<p class="" data-start="3110" data-end="3164">Sometimes, the ransomware doesn&#8217;t even run right away.</p>
<p class="" data-start="3166" data-end="3235">Just one sentence: It’s set to run at 8 PM daily as a scheduled task.</p>
<p class="" data-start="3237" data-end="3441">Even worse, it filters by file extension, so it avoids double-encrypting already infected files. That’s not a bug; it’s a fallback, making sure the encryption happens even if something goes wrong earlier.</p>
<h2 class="" data-start="3443" data-end="3479">The Note That Hits Where It Hurts</h2>
<p class="" data-start="3481" data-end="3534">The ransom note isn’t just a list of demands anymore.</p>
<p class="" data-start="3536" data-end="3694">Interlock’s latest version focuses less on technical threats and more on legal and regulatory nightmares. Think GDPR fines, SEC violations, shareholder panic.</p>
<p class="" data-start="3696" data-end="3800">It’s a psychological sledgehammer—pay up, or deal with lawsuits, lost trust, and maybe a public scandal.</p>
<p class="" data-start="3802" data-end="3826">The message has changed.</p>
<h2 class="" data-start="3828" data-end="3874">ClickFix Isn’t Just Interlock’s Toy Anymore</h2>
<p class="" data-start="3876" data-end="4048">This isn’t just an Interlock issue. Other cybercriminal groups are jumping on the ClickFix bandwagon. Even the infamous Lazarus group from North Korea has joined the trend.</p>
<p class="" data-start="4050" data-end="4127">Just last month, Lazarus used the same trick targeting job seekers in crypto.</p>
<p class="" data-start="4129" data-end="4218">One sentence again: It’s working because it doesn’t feel like a scam—until it’s too late.</p>
<p class="" data-start="4220" data-end="4348">The ClickFix approach feels casual. There&#8217;s no scary pop-up. No noisy alert. Just a “verify here” prompt and a quick copy-paste.</p>
<p class="" data-start="4350" data-end="4507">By the time the victim realizes what happened, their files are locked, their credentials are stolen, and attackers are already digging through their network.</p>
<h2 class="" data-start="4509" data-end="4565">Table: Timeline of Interlock’s Known Attack Evolution</h2>
<div class="group pointer-events-none relative flex justify-center *:pointer-events-auto"><button class="hover:bg-token-main-surface-secondary text-token-text-secondary pointer-events-auto rounded-lg px-1 py-1 opacity-0 transition-opacity duration-200 group-focus-within:opacity-100 group-hover:opacity-100"></button></p>
<div class="tableContainer horzScrollShadows relative">
<table class="min-w-full" data-start="4567" data-end="5202">
<thead data-start="4567" data-end="4672">
<tr data-start="4567" data-end="4672">
<th data-start="4567" data-end="4587">Time Period</th>
<th data-start="4587" data-end="4638">Tactic Used</th>
<th data-start="4638" data-end="4672">Goal</th>
</tr>
</thead>
<tbody data-start="4779" data-end="5202">
<tr data-start="4779" data-end="4884">
<td class="max-w-[calc(var(--thread-content-max-width)*2/3)]" data-start="4779" data-end="4799">Sep 2024 Launch</td>
<td class="max-w-[calc(var(--thread-content-max-width)*2/3)]" data-start="4799" data-end="4850">Fake browser/VPN updates</td>
<td class="max-w-[calc(var(--thread-content-max-width)*2/3)]" data-start="4850" data-end="4884">Malware delivery</td>
</tr>
<tr data-start="4885" data-end="4990">
<td class="max-w-[calc(var(--thread-content-max-width)*2/3)]" data-start="4885" data-end="4905">Jan 2025</td>
<td class="max-w-[calc(var(--thread-content-max-width)*2/3)]" data-start="4905" data-end="4956">ClickFix via spoofed IT tool websites</td>
<td class="max-w-[calc(var(--thread-content-max-width)*2/3)]" data-start="4956" data-end="4990">Initial access</td>
</tr>
<tr data-start="4991" data-end="5096">
<td class="max-w-[calc(var(--thread-content-max-width)*2/3)]" data-start="4991" data-end="5011">Ongoing</td>
<td class="max-w-[calc(var(--thread-content-max-width)*2/3)]" data-start="5011" data-end="5062">RAT deployment + credential theft</td>
<td class="max-w-[calc(var(--thread-content-max-width)*2/3)]" data-start="5062" data-end="5096">Lateral movement</td>
</tr>
<tr data-start="5097" data-end="5202">
<td class="max-w-[calc(var(--thread-content-max-width)*2/3)]" data-start="5097" data-end="5117">Final Stage</td>
<td class="max-w-[calc(var(--thread-content-max-width)*2/3)] min-w-[calc(var(--thread-content-max-width)/3)]" data-start="5117" data-end="5168">Ransomware scheduled task, data exfiltration</td>
<td class="max-w-[calc(var(--thread-content-max-width)*2/3)]" data-start="5168" data-end="5202">Encryption and extortion</td>
</tr>
</tbody>
</table>
</div>
</div>

Sony Hints at Potential PS Plus Price Tweaks to Boost Profit Margins
Google Blames API Mishap for Global Cloud Outage That Disrupted Billions of Requests
Selena Gomez Shares Tearful Birthday Tribute to Sister Gracie, Reveals Her Adorable Taylor Swift Obsession
Dogecoin Drops 9% After SEC Delays Bitwise DOGE ETF Decision
OpenAI Slashes ChatGPT o3 API Prices by 80% Without Hurting Performance
Apple and LEGO Show How Focus Beats Diversification
Atari’s Rollercoaster: From Pong Glory to Desert Burial
Kim Soo Hyun and Kim Sae Ron Controversy Sparks Over 10 Police Investigations Amid Legal Showdown
Joe Biden Diagnosed With Aggressive Prostate Cancer That Has Spread to Bones
Budget Friendly Ways to Stop Hair Loss Naturally
-
News4 months agoTaiwanese Companies Targeted in Phishing Campaign Using Winos 4.0 Malware
-
News2 months agoJustin Baldoni Hits Back at Ryan Reynolds, Calling Him a “Co-Conspirator” in Blake Lively Legal Battle
-
News4 months agoApple Shuts Down ADP for UK iCloud Users Amid Government Backdoor Demands
