Interlock Ransomware Employs Multi-Stage Attack Via Legitimate Websites to Deliver Malicious Browser Updates

Cybersecurity experts have identified a sophisticated ransomware threat known as Interlock, which has been quietly expanding its operations since its first appearance in September 2024.

This malware employs an elaborate multi-stage attack chain, beginning with the compromise of legitimate websites that deliver fake browser updates to unsuspecting users.

Companies impacted by Interlock span various sectors across North America and Europe, indicating an opportunistic target selection approach rather than industry-specific targeting.

Unlike many contemporary threats, Interlock cannot be classified as a Ransomware-as-a-Service (RaaS) operation, as no advertisements for recruiting affiliates have been discovered.

The group maintains a data leak site dubbed “Worldwide Secrets Blog” where they expose victim data and provide negotiation channels.

Despite their continuing operations, Interlock has claimed fewer victims—24 since September 2024, including just 6 in 2025—compared to more prolific ransomware groups that have each claimed over one hundred victims in Q1 2025 alone.

Sekoia Threat Detection & Research (TDR) team analysts have identified significant evolution in Interlock’s tactics since its emergence.

The operators have improved their toolset and incorporated new techniques such as ClickFix to deploy their ransomware payload, alongside employing additional tools like LummaStealer and BerserkStealer to enhance their capabilities.

The initial infection vector relies on social engineering, tricking users into downloading and executing what appear to be legitimate browser updates.

These fake updaters are carefully crafted PyInstaller files that, when manually launched by the victim, download and execute the actual legitimate installer (Chrome or MS Edge) while simultaneously running an embedded PowerShell backdoor script.

Sophisticated Multi-Stage Infection Chain

The PowerShell backdoor operates as the first stage of the attack, running in an infinite loop that continuously executes HTTP requests to designated command and control servers.

This script collects extensive system information including user context, system details, running processes, services, available drives, and network configuration.

The collected data undergoes XOR encryption with a hardcoded key before being compressed with Gzip and transmitted to the C2 server.

Multiple versions of this PowerShell RAT have been observed, evolving from version 1 to version 11.

Later iterations implement persistence mechanisms by creating registry entries that relaunch the malware at startup, and can execute arbitrary Windows commands received from the C2 server.

The C2 infrastructure demonstrates resilience through careful distribution across various hosting providers, with domains typically leveraging Cloudflare services and backup IP addresses strategically allocated across different autonomous systems.

In early 2025, the operators expanded their tactics by switching from browser update lures to security software updaters, masquerading as FortiClient, Ivanti Secure Access Client, GlobalProtect, and other security products.

This adaptation demonstrates the group’s ongoing refinement of their techniques as they continue to operate beneath the radar of many security operations.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy