Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

New NodeSnake RAT Hits UK Universities

May 29, 2025
Reading Time: 2 mins read
in Alerts
APT41 Uses Google Calendar For C2 Operations

The Interlock ransomware gang deploys NodeSnake. It is a previously undocumented remote access trojan. This trojan targets educational institutes. It seeks persistent corporate network access. QuorumCyber researchers saw NodeSnake in action. This occurred in two recent cases. UK universities were targeted in early 2025. The malware samples differed significantly from each other. This strongly indicates active NodeSnake development. Interlock ransomware group launched in September 2024. Their past targets include Texas Tech University. DaVita and Kettering Health were also attacked. They also use ‘ClickFix’ attacks for initial infiltration.

Interlock’s attacks on schools start with phishing. Malicious links or email attachments are used. These lead to NodeSnake RAT infections. NodeSnake is JavaScript malware. It executes with NodeJS. Persistence is established using PowerShell or CMD scripts. It writes a deceptive Registry entry. This entry is named ‘ChromeUpdater’. It impersonates Google Chrome’s own updater. For evasion, NodeSnake runs as a background process. Filenames and payloads are assigned random names. C2 addresses cycle with randomized delays. Heavy code obfuscation is also employed. XOR encryption and console tampering further hide it. The C2 IP is hardcoded. However, it is routed via Cloudflare proxies.

Once active on a machine, NodeSnake gathers data. It collects key metadata about the user. It also gets running process information. Services and network configurations are noted. This information is then exfiltrated. It is sent to the command-and-control server. The malware can terminate active processes. It can also load additional malicious payloads. These could be EXE, DLL, or JavaScript files. The newer NodeSnake variant has more functions. It can directly execute CMD commands. It uses extra modules for dynamic C2 polling. Command results are bundled in exfiltrated data. This enables real-time shell interaction for attackers.

NodeSnake’s existence reveals Interlock’s continued evolution. Its ongoing development is a key concern. The group clearly focuses on long-term stealth. They aim for persistent network access. QuorumCyber published a report with IoCs. Monitoring these specific indicators is very important. This can help block ransomware attacks early on. Early detection prevents data exfiltration. It also stops the final encryption phase. NodeSnake provides Interlock with sustained footholds. This greatly aids their later ransomware deployment efforts. Vigilance against this evolving threat is essential.

Reference:

  • Interlock Uncages NodeSnake Remote Access Trojan Targeting UK University Networks
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityMay 2025
ADVERTISEMENT

Related Posts

Yes24 Down After Cyberattack

Win-DDoS Flaws Enable DC DDoS Botnets

August 12, 2025
Yes24 Down After Cyberattack

GPT-5 Jailbreak, Zero-Click AI Threats

August 12, 2025
Yes24 Down After Cyberattack

7-Zip Flaw Enables Arbitrary Code Run

August 12, 2025
WinRAR Zero-Day Actively Exploited

WinRAR Zero-Day Actively Exploited

August 11, 2025
WinRAR Zero-Day Actively Exploited

Lenovo Linux Webcam BadUSB Flaw

August 11, 2025
WinRAR Zero-Day Actively Exploited

Tesla-Themed Malware in Google Ads

August 11, 2025

Latest Alerts

Win-DDoS Flaws Enable DC DDoS Botnets

GPT-5 Jailbreak, Zero-Click AI Threats

7-Zip Flaw Enables Arbitrary Code Run

Tesla-Themed Malware in Google Ads

Lenovo Linux Webcam BadUSB Flaw

WinRAR Zero-Day Actively Exploited

Subscribe to our newsletter

    Latest Incidents

    Columbia Data Breach Hits 900K

    Chinese Gang Hits 115M US Payment Cards

    Yes24 Down After Cyberattack

    University of WA Major Data Breach

    Google Ads Customers’ Data Breach

    Connex Credit Union Data Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial