In the rapidly shifting world of digital extortion, the boundaries between rival criminal organizations are becoming increasingly porous. Dominic Jainy, a seasoned IT professional with a deep background in artificial intelligence and blockchain applications, has spent years dissecting the structural nuances of modern cyber-threats. Recently, his attention has been fixed on the unexpected convergence of Interlock and Rhysida, two ransomware powerhouses that appear to be drawing from a singular well of innovation. This discussion explores the tactical similarities between Interlock’s private arsenal and Rhysida’s affiliate-driven model, the shared DNA within the Supper backdoor, and the sophisticated social engineering tactics that have claimed nearly 160 combined victims by 2025.
The conversation covers the technical fingerprints left behind by these actors, including a shared self-deletion mechanism and the use of fraudulent code-signing certificates. We also examine the specific targeting of healthcare and government sectors, the role of traffic distribution systems like TAG-124, and the specialized Windows Defender bypasses that allow these groups to operate with impunity once inside a network.
The Supper backdoor has been observed facilitating persistent access and encrypted tunnels for multiple ransomware groups. What can you tell us about the significance of this shared infrastructure between Interlock and Rhysida?
The discovery of the Supper backdoor, which we also track as SocksShell or WINDYTWIST, serves as a definitive “smoking gun” that bridges the gap between what we previously thought were two distinct operations. When we look under the hood of these incidents, we see that Supper is not just a generic tool; it is a highly specialized component that was first identified in July 2024, predating many of Interlock’s more modern tools like NodeSnake. What makes this shared infrastructure so fascinating is that Supper was originally found wrapped in the JunkFiction crypter—the exact same protective layer that Interlock uses for its custom-built RAT. This isn’t a case of two groups happening to use the same off-the-shelf software; it indicates a controlled, perhaps even exclusive, arrangement where the core code is either developed by the same hand or sold through a very tight, trusted circle of actors. By providing persistent access and the ability to run remote shell commands, Supper acts as the foundation upon which both Interlock’s private campaigns and Rhysida’s service-based attacks are built.
While Rhysida functions as a Ransomware-as-a-Service platform, Interlock keeps its tools strictly in-house. How does this difference in operational philosophy affect their respective impacts on global security?
The contrast between these two groups is a perfect study in the evolution of the cybercrime economy. Interlock, which we track as Hive0163, is a “boutique” operation that has been running its own campaigns since September 2024 without the help of outside affiliates, relying instead on its proprietary stack of NodeSnake and InterlockRAT. Rhysida, on the other hand, has been a major player since at least May 2023 and follows the Ransomware-as-a-Service or RaaS model, which essentially democratizes high-level extortion tools for any criminal willing to pay a cut. Despite these different business models, the results are shockingly similar in terms of pure volume; by the end of 2025, both groups had claimed roughly 80 victims each. Interlock’s “closed-door” policy suggests a group that prioritizes operational security and code integrity, while Rhysida’s platform model allows for a more chaotic, widespread spread of the same underlying malicious logic.
Looking at the 2025 data, both groups have hit critical sectors like healthcare, education, and government particularly hard. What makes these organizations such enticing targets for this specific shared toolkit?
The targeting of healthcare and government sectors is a cold, calculated move based on the high stakes of downtime and the sensitive nature of the data involved. When you have a combined 160 victims across these sectors by 2025, it’s clear that the attackers are looking for environments where the pressure to restore services quickly is at its absolute peak. These organizations often struggle with legacy systems that are vulnerable to the types of credential-stealing and privilege-escalation tools we see in the Interlock and Rhysida playbooks, such as those exploiting CVE-2023-36036. Furthermore, these groups utilize trojanized installers for ubiquitous tools like Microsoft Teams, knowing that employees in government and education are likely to trust these familiar communication platforms. It is a predatory strategy that exploits the essential nature of these institutions, using their own internal processes as a Trojan horse to deploy the Supper backdoor.
Analysts have pointed to a common development team based on structural similarities in their malware. Could you walk us through the specific technical “fingerprints,” like the self-deletion DLL, that link these two operations?
The technical evidence is overwhelming when you start comparing the binaries of InterlockRAT and the older versions of Supper. We found that the command structures and the formats used to register with control servers are nearly identical, which is like finding two different houses built with the exact same unconventional wiring. Perhaps the most compelling “fingerprint” is an embedded DLL used by Supper to erase itself from a victim’s disk once its job is done; this exact same component is found inside the Interlock ransomware binary itself. This DLL is triggered to delete the malware after the encryption process is finished, effectively cleaning up the crime scene. Additionally, the newer Python-based ModeloRAT, which is deployed via the TAG-124 network, uses the same network validation bytes as NodeSnake, proving that the code logic has remained consistent even as the language of the malware evolved.
Social engineering remains a primary entry point, with fake Microsoft Teams installers and credential prompts. How do these groups use fraudulent certificates and ClickFix-style attacks to bypass traditional defenses?
The sophistication of their delivery methods is where these groups really excel at deceiving the average user. They create fake download pages that are visually indistinguishable from legitimate Microsoft sites, prompting users to download an “Update” that is actually a malicious payload signed with a fraudulent code-signing certificate. These certificates are often purchased from shady cybercrime forums, allowing the malware to bypass the standard security warnings that usually stop unsigned software. One particularly devious tactic involves a fake browser update window that shows a progress bar; once it hits exactly 4% completion, it pauses and asks the user for their credentials to “continue” the installation. This creates a sense of urgency and legitimacy that tricks even tech-savvy individuals into handing over the keys to the kingdom before the NodeSnake loader even begins its work.
Beyond the initial breach, the deployment of tools like ModeloRAT and the use of the TAG-124 network show a high level of sophistication. How do these newer Python-based backdoors expand the threat landscape?
The introduction of ModeloRAT is a significant pivot because it shows these developers are willing to adopt cross-platform, versatile languages like Python to expand their reach. Deployed through the TAG-124 traffic distribution network—also known as LandUpdate808—this backdoor inherits the same structural DNA as the original NodeSnake loader. This network of distribution allows the attackers to redirect victims through a series of “ClickFix” style attacks, effectively masking the true origin of the malware and making it harder for security researchers to track the command-and-control infrastructure. By using identical network validation bytes across these different tools, the actors can maintain a unified control system for a diverse range of payloads. This level of coordination suggests that they aren’t just reacting to security measures, but are proactively building an ecosystem that can adapt to different environments and defense postures.
Finally, we see these actors disabling security tools using custom Windows Defender Application Control policies. What should IT departments be looking for to detect such a methodical and thorough post-compromise strategy?
Once the attackers gain a foothold, their priority shifts to blinding the defenders, and they do this with a surgical precision that is honestly quite terrifying. On Interlock staging servers, we discovered custom Windows Defender Application Control (WDAC) policies designed specifically to neuter endpoint security tools while allowing their own malicious binaries to run without interference. IT departments need to be hyper-vigilant for the presence of tools like AZcopy or Advanced Port Scanner, which are frequently used to map out the network and exfiltrate data before the ransomware is even dropped. Monitoring for abnormally signed executables is crucial, as is watching for any unauthorized attempts to modify system-level security policies. If you see a “ClickFix” style prompt or a sudden, unexpected use of remote management software, you should treat it as a high-priority warning sign that a deep compromise is already underway.
What is your forecast for the evolution of shared malware ecosystems between supposedly independent ransomware groups?
I believe we are entering an era of “Cyber-Consolidation,” where the distinction between individual ransomware “brands” will become secondary to the shared development hubs that power them. We will see a shift toward more modular, multi-language malware suites—much like the transition from NodeSnake to the Python-based ModeloRAT—that allow different criminal groups to “subscribe” to specific functionalities like initial access or stealthy persistence. This means defenders can no longer afford to look for a single group’s signature; instead, they must focus on the underlying shared utilities like the Supper backdoor and the JunkFiction crypter that are becoming the universal standards for the underground. As these developers become more specialized, we should expect more sophisticated bypasses for tools like Windows Defender, making behavioral analysis and zero-trust architectures more critical than they have ever been.