Ddos 
FortiGuard Threat Intelligence details related to the ScreenConnect C2 domain associated with the intrusion | Image: FortiGuard Labs
A sophisticated ransomware group known as Interlock is turning the tables on defenders by weaponizing a tool designed to stop cheaters in video games. In a new report released by FortiGuard Labs, researchers detail a months-long intrusion campaign targeting the education sector that utilized a novel “Bring Your Own Vulnerable Driver” (BYOVD) attack to blind cybersecurity defenses.
Unlike the sprawling criminal enterprises that dominate the headlines, Interlock is cutting a different path.
“Unlike other current key ransomware threats, the Interlock group is unique in that it does not operate under the RaaS model. Instead, they appear to be a smaller, dedicated group of operators who develop and operate their own malware to support most of their kill chain.” β FortiGuard Labs Report
The most striking discovery in the investigation was a tool researchers have dubbed “Hotta Killer.” In a supreme irony, the gang utilized a zero-day vulnerability in a legitimate anti-cheat driverβsoftware specifically designed to prevent video game hackingβto hack the victim’s security.
The tool (identified as polers.dll) drops a kernel driver named UpdateCheckerX64.sys. This file is actually a renamed, vulnerable version of GameDriverx64.sys (CVE-2025-61155). Because the driver is digitally signed and legitimate, it bypasses initial checks. Once loaded, the malware abuses the driver’s kernel-level privileges to unceremoniously terminate Endpoint Detection and Response (EDR) processes, specifically hunting for Fortinet security software.
“As part of these adaptations, our analysis identified a novel process-killing tool developed by the group that leverages a zero-day vulnerability in a gaming anti-cheat driver.” β FortiGuard Labs Report
The report outlines a patient and calculated intrusion that spanned nearly seven months. The attack began on March 31, 2025, with a “MintLoader” infection on a single laptop. For months, the actors lay dormant, maintaining a low profile while they established persistence using their custom “NodeSnake” RAT (Remote Access Trojan).
It wasn’t until September that the group escalated their activity. They pivoted from stealth to theft, using the AZcopy utility to exfiltrate over 250GB of sensitive data. In a strange twist, after stealing the data, the group did not attempt double-extortion (leaking the data). Instead, they seemingly gave up on the extortion angle and moved straight to destruction.
On October 10, the group unleashed their encryption phase. They deployed a Linux-based encryptor to decimate the victim’s Nutanix servers and a JavaScript-based payload (jar.jar) to lock down Windows endpoints.
Perhaps the most baffling aspect of the attack occurred in its final moments. After the encryption was already underway, the attackers executed a script to generate approximately 5,000 rogue user accounts across the victim’s domain.
The purpose of this “ghost army” remains a mystery. Researchers speculate it could be a distraction tactic, a persistence mechanism gone wrong, or simply an attempt to create chaos for the incident response team.
The Interlock groupβs ability to pivot from standard commodity malware to custom-built kernel exploits highlights a dangerous trend in the cybercrime landscape: the “lone wolf” syndicates are becoming just as capable as the major cartels.
“The Interlock ransomware group has demonstrated the ability to adapt its techniques and tooling over time as mitigations evolve.” β FortiGuard Labs Report
As defenders patch known vulnerabilities, groups like Interlock are digging into the obscure corners of the software ecosystemβlike gaming driversβto find their next weapon.
Related Posts:
- Interlock Ransomware Strikes: A New Strain Is Wrecking Havoc in North America and Europe
- Interlock Ransomware Strikes: eSentire Exposes Multi-Stage Payload and ClickFix Social Engineering
- Interlock Ransomware: New Threat Targets Windows & FreeBSD
- From Fake Updates to Data Exfiltration: Inside Interlock Ransomware’s Operations
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
