The Interlock ransomware gang deploys NodeSnake. It is a previously undocumented remote access trojan. This trojan targets educational institutes. It seeks persistent corporate network access. QuorumCyber researchers saw NodeSnake in action. This occurred in two recent cases. UK universities were targeted in early 2025. The malware samples differed significantly from each other. This strongly indicates active NodeSnake development. Interlock ransomware group launched in September 2024. Their past targets include Texas Tech University. DaVita and Kettering Health were also attacked. They also use ‘ClickFix’ attacks for initial infiltration.
Interlock’s attacks on schools start with phishing. Malicious links or email attachments are used. These lead to NodeSnake RAT infections. NodeSnake is JavaScript malware. It executes with NodeJS. Persistence is established using PowerShell or CMD scripts. It writes a deceptive Registry entry. This entry is named ‘ChromeUpdater’. It impersonates Google Chrome’s own updater. For evasion, NodeSnake runs as a background process. Filenames and payloads are assigned random names. C2 addresses cycle with randomized delays. Heavy code obfuscation is also employed. XOR encryption and console tampering further hide it. The C2 IP is hardcoded. However, it is routed via Cloudflare proxies.
Once active on a machine, NodeSnake gathers data. It collects key metadata about the user. It also gets running process information. Services and network configurations are noted. This information is then exfiltrated. It is sent to the command-and-control server. The malware can terminate active processes. It can also load additional malicious payloads. These could be EXE, DLL, or JavaScript files. The newer NodeSnake variant has more functions. It can directly execute CMD commands. It uses extra modules for dynamic C2 polling. Command results are bundled in exfiltrated data. This enables real-time shell interaction for attackers.
NodeSnake’s existence reveals Interlock’s continued evolution. Its ongoing development is a key concern. The group clearly focuses on long-term stealth. They aim for persistent network access. QuorumCyber published a report with IoCs. Monitoring these specific indicators is very important. This can help block ransomware attacks early on. Early detection prevents data exfiltration. It also stops the final encryption phase. NodeSnake provides Interlock with sustained footholds. This greatly aids their later ransomware deployment efforts. Vigilance against this evolving threat is essential.
Reference:
