In order to disable endpoint detection and response (EDR) systems during intrusions, the Interlock ransomware group has improved its strategies by utilizing a new process-killing tool known as Hotta Killer This article explores intrusions interlock ransomware. . This tool significantly alters their operations against security tools like FortiEDR by taking advantage of a zero-day vulnerability in a gaming anti-cheat driver.

This method was discovered by FortiGuard security researchers during a recent attack on a North American educational institution, where Interlock operators used EDR as a means of enabling encryption. Before moving on to data exfiltration and deployment, the group—known for custom malware rather than Ransomware-as-a-Service (RaaS)—maintains persistence through implants like NodeSnakeRAT and Interlock RAT.

In March 2025, Interlock launched its attack using MintLoader, a PowerShell downloader that obtained NodeSnakeRAT from IP addresses like 138.199.156.228. Using authentic Node.js, this JavaScript implant created persistence and dropped additional payloads, including Interlock RAT variants with C2 servers like 157.250.195.229:443. Before reactivating in September, operators rotated infrastructure while lying dormant for several months.

They prepared ransomware for Windows and Nutanix systems, exfiltrated 250GB using AZCopy, and used ScreenConnect (C2: user.kangaroosim.com) for remote access. Attached is the Linux ransomware variant (SHA1: F5C6BD4E9686AFB0C4E7C1C1733FEBB4065D514F)!nt3rlock extensions, whereas Windows added.gif using JavaScript (SHA1: AD77FBDBB2FCBDB440428EED3E76D106E1119FCF). Hotta Killer Technique Hotta Killer is a bring-your-own-vulnerable-driver (BYOVD) tool that is dropped as polers.dll (SHA1: 3B9B2D5934F9ED1E3A000A760A6FA90422E8A555). It is called by rundll32.exe with arguments like "start Forti"."

UpdateCheckerX64.sys (SHA1: 7556AE58C215B8245A43F764F0676C7A8F0FDD1A), a repackaged GameDriverx64.sys susceptible to CVE-2025-61155, is extracted and loaded. A sample of code that uses dynamic strings (Source: Fortinet) The driver creates a symbolic link (? ?\E64), installs as a kernel service (SERVICE_KERNEL_DRIVER), and exposes an IOCTL (0x222040) with magic flag 0xFA123456.

Using CreateToolhelp32Snapshot, user-mode code takes snapshots of processes, matches targets such as "Forti.exe," and transmits PIDs to the driver, which uses ZwTerminateProcess to terminate them. Five instances are kept running continuously by a watchdog script. Through reflective loading and dynamic strings, this workaround avoided static detection, but during the incident, it was unable to overcome FortiEDR's behavioral safeguards.

When the payload is first executed, Systeminfo is called to gather basic system information (Source: Fortinet). Because ring-0 access makes anti-cheat drivers prime BYOVD targets, organizations should block unsigned drivers and keep an eye on service installs. Mitigation and Indicators Interlock RAT SHA1s (e.g., node.log: 2D5F88C396553669BD50183644D77AD3C71D72BB) and C2s (e.g., 216.219.95.234) are important IOCs.

Defenders should prevent outgoing PowerShell connections, limit workstation RDP/SMB access, look for scheduled tasks (like ChromeUpdater), and prohibit superfluous remote tools like ScreenConnect. During testing, a packet containing a sample of the system data was sent to a hardcoded C2 IP (Source: Fortinet). While EDR stops execution chains, FortiGuard signatures identify variations (like JavaInterlock.A!tr). Escalation is avoided through routine threat hunting on known Interlock IOCs combined with intelligence feeds.

The flexibility of Interlock highlights the necessity of proactive monitoring in education and related fields.