Interlock and Rhysida Ransomware Linked by Shared Supper Backdoor and Overlapping Codebase
IBM X-Force reveals that the Interlock and Rhysida ransomware operations share the Supper backdoor and exhibit overlapping malware codebases, suggesting a common development team.
Two of the more active ransomware groups operating today, Interlock and Rhysida, have more in common than previously thought. New research from IBM X-Force shows both groups share a backdoor called Supper, and that several of their malware tools appear to have grown from the same original code. The findings, shared with Cyber Security News, point to either a common development team or a controlled arrangement where code is sold between trusted actors.
The Interlock group, tracked internally as Hive0163, has been running ransomware campaigns since September 2024. Unlike many other ransomware operations, Interlock does not offer its tools to outside affiliates. Instead, the group relies on a custom-built arsenal that includes NodeSnake, InterlockRAT, and the JunkFiction downloader. Rhysida, on the other hand, has been active since at least May 2023 and runs as a Ransomware-as-a-Service platform. By the end of 2025, both groups had each claimed roughly 80 victims, with most located in the United States. Healthcare, education, and government were among the hardest hit sectors.
The Supper backdoor sits at the center of this research. First seen in July 2024, Supper predates both NodeSnake and InterlockRAT and was originally found protected by the JunkFiction crypter, the same one Interlock uses on its own tools. Supper maintains persistent access to a victim system, creates encrypted tunnels, and runs remote shell commands, all capabilities that closely mirror InterlockRAT. IBM X-Force found that InterlockRAT and Supper share nearly identical command structures, similar formats for registering with control servers, and the same self-deletion method. An embedded DLL used by older Supper versions to erase itself from disk is the exact same component found inside the Interlock ransomware binary, triggered when told to delete itself after encrypting files.
NodeSnake, which acts as the first stage loader in most Interlock infections, shares code logic and server addresses with both JunkFiction downloader and InterlockRAT. A newer Python-based backdoor called ModeloRAT, deployed by the TAG-124 traffic distribution network tied to Interlock, further extends NodeSnake's code structure and uses identical network validation bytes. These overlaps strongly suggest the tools were built by the same developers.
Both groups rely heavily on trojanized software installers to gain entry into victim networks. Fake download pages for tools like Microsoft Teams are designed to look legitimate, tricking users into running malicious files. These installers are signed with fraudulent code-signing certificates bought from cybercrime forums, helping them pass security checks on most systems. Once inside, attackers use traffic distribution systems to redirect victims and deliver payloads through ClickFix-style attacks or fake browser updates.
Post-compromise activity is thorough and methodical. Attackers move through networks using tools like AZcopy, Advanced Port Scanner, and credential stealers before dropping ransomware. IBM X-Force also found a custom Windows Defender Application Control policy on Interlock staging servers, built to disable Defender and endpoint tools while letting the group's own malware run freely.
Organizations should monitor for abnormally signed executables, watch for unexpected use of remote management software, and treat ClickFix-style browser prompts as a high-priority warning sign. The shared infrastructure and code between Interlock and Rhysida highlight a growing trend of consolidation within the ransomware ecosystem, where established groups collaborate or share resources to maximize their impact.