Interlock Ransomware Evolves: Hotta Killer Tool Exploits Anti-Cheat Driver to Disable EDR

Listen to this Post

Featured Image

Introduction

Interlock ransomware has quietly transformed from a niche threat actor into a technically sophisticated adversary capable of neutralizing modern endpoint defenses. In a recent campaign uncovered by FortiGuard Labs, the group demonstrated a major tactical leap by deploying a custom process-killing tool named Hotta Killer, designed specifically to disable Endpoint Detection and Response (EDR) platforms before ransomware deployment. By abusing a zero-day vulnerability in a gaming anti-cheat driver, Interlock showcased how threat actors are increasingly weaponizing trusted kernel-level components to bypass security controls. The incident, which targeted a North American education organization, highlights a broader shift in ransomware operations toward stealth, patience, and deep system manipulation.

Interlock’s Attack Chain and Operational Style

Interlock is not a Ransomware-as-a-Service operation.

The group develops and maintains its own tooling.

This independence allows tighter control over operations.

It also enables custom malware tailored to specific targets.

The intrusion began in March 2025.

Initial access was achieved using MintLoader.

MintLoader is a PowerShell-based downloader.

It retrieved a JavaScript implant called NodeSnakeRAT.

NodeSnakeRAT was hosted on attacker-controlled infrastructure.

Known IPs included 138.199.156.228.

The implant executed via legitimate Node.js binaries.

This helped it blend into normal system activity.

Persistence was established early.

Additional payloads were staged quietly.

Among them was Interlock RAT.

Its command-and-control servers included 157.250.195.229:443.

After initial compromise, the attackers went silent.

Infrastructure rotated while access remained intact.

The group reactivated months later, in September.

Dormancy reduced the chance of early detection.

ScreenConnect was deployed for hands-on-keyboard access.

The associated C2 domain was user.kangaroosim.com.

Data exfiltration followed.

Approximately 250GB was transferred using AZCopy.

Only after preparation did encryption begin.

Both Windows and Nutanix systems were targeted.

The Linux variant appended the “!nt3rlock” extension.

Its SHA1 hash was F5C6BD4E9686AFB0C4E7C1C1733FEBB4065D514F.

Windows systems were encrypted using JavaScript-based ransomware.

Files received a misleading “.gif” extension.

This multi-stage approach reflects discipline.

Interlock prioritized control before destruction.

Hotta Killer and the BYOVD Breakthrough

Hotta Killer represents a critical escalation.

It directly targets security software at the kernel level.

The tool was dropped as polers.dll.

It was executed using rundll32.exe.

Arguments such as “start Forti” triggered execution.

This indicated explicit targeting of FortiEDR.

Hotta Killer extracted UpdateCheckerX64.sys.

This driver was a repackaged GameDriverx64.sys.

The driver contained a zero-day flaw.

It was vulnerable under CVE-2025-61155.

Once loaded, it installed as a kernel service.

The service type was SERVICE_KERNEL_DRIVER.

A symbolic link was created at ??E64.

This exposed an IOCTL interface.

The IOCTL used code 0x222040.

A magic flag value of 0xFA123456 authenticated requests.

User-mode code enumerated running processes.

CreateToolhelp32Snapshot was used for this task.

Processes such as “Forti.exe” were identified.

Their PIDs were passed to the driver.

The driver terminated them using ZwTerminateProcess.

This occurred in ring-0, bypassing user-mode protections.

A watchdog script ensured persistence.

Five parallel instances were maintained.

Static detection was avoided.

Reflective loading and obfuscated strings were used.

Despite this, behavioral protections intervened.

FortiEDR detected and disrupted execution during the attack.

Indicators, Detection, and Defensive Measures

Several indicators of compromise were identified.

These included Interlock RAT components.

One example was node.log.

Its SHA1 hash was 2D5F88C396553669BD50183644D77AD3C71D72BB.

Known C2 infrastructure included 216.219.95.234.

These indicators support proactive threat hunting.

Defenders should review scheduled tasks.

Suspicious names like ChromeUpdater warrant attention.

Outbound PowerShell traffic should be restricted.

Especially from non-administrative workstations.

Unnecessary RDP and SMB exposure must be reduced.

Lateral movement depends on these services.

Remote access tools should be tightly controlled.

ScreenConnect should be blocked where not required.

Unsigned or vulnerable drivers must be banned.

Anti-cheat drivers are frequent BYOVD targets.

Monitoring new kernel service installations is critical.

This often precedes EDR tampering.

What Undercode Say:

Interlock’s latest campaign confirms a long-standing trend.

Modern ransomware groups are no longer rushing.

Patience has become a weapon.

Dormant access reduces noise and detection.

The use of BYOVD techniques is especially concerning.

Kernel access collapses traditional security boundaries.

Anti-cheat drivers are an ideal abuse vector.

They are widely trusted and deeply privileged.

This attack demonstrates intentional EDR targeting.

Security tools are now first-class objectives.

Interlock did not rely on commodity exploits.

They invested in custom tooling and research.

The Hotta Killer framework is modular.

It can likely be adapted to other vendors.

The reflective loading approach signals maturity.

Static detection alone is no longer sufficient.

Behavioral monitoring proved decisive.

This reinforces the value of runtime telemetry.

Education sector targeting is not accidental.

These environments often have diverse infrastructure.

Legacy systems increase attack surface.

Budget constraints slow defensive upgrades.

The long dwell time highlights monitoring gaps.

Log retention and correlation remain weak points.

Exfiltration before encryption maximizes leverage.

Ransomware is now a final step, not the first.

The Nutanix targeting shows operational awareness.

Virtualized environments are high-impact targets.

Interlock’s evolution mirrors broader ransomware trends.

Custom malware is replacing affiliate-based chaos.

Defenders must assume kernel-level threats.

User-mode security is no longer enough.

Blocking vulnerable drivers is essential.

So is validating every kernel load event.

Threat intelligence integration must be continuous.

Reactive defense is already too late.

Interlock is not just encrypting data.

It is methodically dismantling trust in endpoint defenses.

Fact Checker Results

✅ Interlock used a BYOVD technique to disable EDR via a vulnerable anti-cheat driver
✅ Hotta Killer leveraged kernel-level process termination through a zero-day flaw
❌ No evidence suggests Interlock operates as a Ransomware-as-a-Service platform

Prediction

🔮 BYOVD-based EDR killers will become standard ransomware tooling

🔮 Anti-cheat and hardware drivers will face increased security scrutiny
🔮 Education and research sectors will remain high-value, low-defense targets

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon