Interlock & Rhysida Ransomware Share Supper Backdoor

Two prominent ransomware groups, Interlock and Rhysida, share a deeper connection than previously understood. New research reveals these active threat actors both utilize a backdoor dubbed Supper. Furthermore, analysis indicates that several of their distinct malware tools originate from the same core codebase, suggesting a shared development or operational link. This finding is detailed in a comprehensive report on the The Interlock group, tracked internally as Hive0163, has been running ransomware campaigns since September 2024. Unlike many other ransomware operations, Interlock does not offer its tools to outside affiliates.

Instead, the group relies on a custom-built arsenal that includes NodeSnake, InterlockRAT, and the JunkFiction downloader. Rhysida, on the other hand, has been active since at least May 2023 and runs as a Ransomware-as-a-Service platform.

Analysts at IBM X-Force, said in a report shared with Cyber Security News (CSN), that their two-year investigation uncovered strong connections between both groups.

According to X-Force, the clearest overlap is the shared use of the Supper backdoor, also known as SocksShell or WINDYTWIST, which has appeared in confirmed incidents tied to both ransomware operations.

By the end of 2025, both groups had each claimed roughly 80 victims, with most located in the United States. Healthcare, education, and government were among the hardest hit sectors.

Two separate ransomware operations sharing a private backdoor points to either a common development team or a controlled arrangement where code is sold between trusted actors.

Cisco Talos had earlier assessed, with low confidence, that Interlock may have emerged from Rhysida’s operators or developers. IBM X-Force findings add more weight to that theory, with code analysis revealing structural similarities across multiple malware families belonging to both groups.

Interlock and Rhysida Ransomware Operations

The Supper backdoor sits at the center of this research. First seen in July 2024, Supper predates both NodeSnake and InterlockRAT and was originally found protected by the JunkFiction crypter, the same one Interlock uses on its own tools.

Supper maintains persistent access to a victim system, creates encrypted tunnels, and runs remote shell commands, all capabilities that closely mirror InterlockRAT.

What makes this especially significant is how these tools behave internally. IBM X-Force found that InterlockRAT and Supper share nearly identical command structures, similar formats for registering with control servers, and the same self-deletion method.

An embedded DLL used by older Supper versions to erase itself from disk is the exact same component found inside the Interlock ransomware binary, triggered when told to delete itself after encrypting files.

NodeSnake, which acts as the first stage loader in most Interlock infections, shares code logic and server addresses with both JunkFiction downloader and InterlockRAT.

A newer Python-based backdoor called ModeloRAT, deployed by the TAG-124 traffic distribution network tied to Interlock, further extends NodeSnake’s code structure and uses identical network validation bytes. These overlaps strongly suggest the tools were built by the same developers.

Attack Chains, Infection Tactics, and Toolset

Both groups rely heavily on trojanized software installers to gain entry into victim networks. Fake download pages for tools like Microsoft Teams are designed to look legitimate, tricking users into running malicious files.

These installers are signed with fraudulent code-signing certificates bought from cybercrime forums, helping them pass security checks on most systems.

Once inside, attackers use traffic distribution systems to redirect victims and deliver payloads through ClickFix-style attacks or fake browser updates.

Interlock has been repeatedly tied to a system known as TAG-124, also tracked as LandUpdate808. Rhysida actors, operating under the Vanilla Tempest cluster, have used Gootloader-based access that hands off to Supper before ransomware is deployed.

Post-compromise activity is thorough and methodical. Attackers move through networks using tools like AZcopy, Advanced Port Scanner, and credential stealers before dropping ransomware.

IBM X-Force also found a custom Windows Defender Application Control policy on Interlock staging servers, built to disable Defender and endpoint tools while letting the group’s own malware run freely.

Organizations should monitor for abnormally signed executables, watch for unexpected use of remote management software, and treat ClickFix-style browser prompts as a high-priority warning sign.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.