Threat Intelligence Analyst Michael Forret, who uncovered the malware, delves into what makes NodeSnake a threat to the higher education and public sectors and advises what they can do to stay safe. Principal Incident Responder Mark Cunningham-Dickie gives additional insights. 

Quorum Cyber’s Threat Intelligence team identified two new variants of a Remote Access Trojan (RAT) tracked as NodeSnake – derived from the malware’s NodeJS dependency. The team announced its finding via a NodeSnake blog and a NodeSnake malware technical report, available in Quorum Cyber’s Threat Intelligence Community Group. 

Our Threat Intelligence team believes that the malware is being used by the threat actor, Interlock, to target local government and higher education organisations. Here, Michael Forret, a Threat Intelligence Analyst at Quorum Cyber who uncovered the two variants, explains what risk the malware poses and what actions universities and government bodies can take to minimise the chances of any harm being done. 

Q: What type of vulnerabilities within organisations’ networks make them accessible to the malware?  

Michael Forret: This malware doesn’t exploit software vulnerabilities. It’s malicious code. Any organisations that allow anyone or anything to install any software are more likely to be exploited by this kind of malware.  

Q: How can any other university or local government organisation be sure it hasn’t already been infected by the malware? 

Michael: I would strongly advise network traffic inspection. Any unexpected network connections to try.cloudflare.com could be indicative of the malware being present. It isn’t a guarantee, but the organisation should investigate further.   

Q: What should an organisation do if it believes it’s already been breached by NodeSnake? 

Michael: If the organisation has a play book to respond to RATs then it should invoke this.   

Mark Cunningham-Dickie: From a tactical standpoint, it’s the same as any incident detection, containment, eradication, recovery.  That sounds simple, but we need to remember that this is a RAT. So, your response needs to consider the hacking phases: reconnaissance, scanning, initial access, maintaining access, attaining objectives, and covering tracks. 

While you may detect NodeSnake on one endpoint, it’s how it got there, from where, and what it’s been doing while it’s been in. That’s why you need forensic analysis on the device, and that’s why you need to be careful in your response actions and activities, because if your response to the detection is to shut the device down, anything that was running in memory is lost. 

Q: What can organisations actively do to prevent these cyber-attacks? How can institutions strengthen their security? Will staff training help? 

Michael: Application control will help prevent installation of the critical NodeSnake dependency, NodeJS. Without NodeJS, the threat actor cannot execute NodeSnake as seen in previous attacks. Phishing training for employees will definitely help, as will improving security awareness in the organisation. Of course, endpoint detection and response (EDR) with 24/7 monitoring and detection is essential in the current threat landscape – the quicker a breach or malware can be detected and responded to, the sooner appropriate action can be taken and the greater the chance of containing the cyber-attack.    

Q: Is this type of malware only a problem affecting universities and public sector bodies in the UK, or should other sectors and individuals in other countries also be concerned? 

Michael: We have evidence that NodeSnake has been used against these two sectors specifically, and I believe the malware was designed to target organisations that allow people to use their own applications. Imagine all the different tools that lecturers, researchers, and students use. So, NodeSnake affects these sectors especially, but we can’t rule out other sectors. Interlock is an opportunistic ransomware gang, so it has almost certainly tried to breach organisations in other sectors and will continue to do so.   

1. Beyond data theft, what operational disruptions could this malware cause to organisations?

Michael: RATs are quite flexible, so threat actors use them to gain sustained access into organisations’ environments and can facilitate almost any type of attack. They can ultimately be used for data theft and data encryption. Given the attribution to Interlock in this case, it will almost certainly be used to facilitate ransomware operations. 

1. How does Cloudflare tunnelling enable attackers to bypass traditional security measures, and what countermeasures can be implemented?

Michael: Cloudflare is a legitimate service that’s used the world over, so Cloudflare tunnelling is a way to hide malicious activity through a benign service. Countermeasures are very difficult to implement but security hardware to inspect content could work to reduce risk.  

1. What cyber security policies and technologies should universities adopt to mitigate the risk of similar attacks in the future?

Michael: Beyond EDR, employ application control and conduct transport layer security (TLS) and secure socket layer (SSL) inspection, where possible.  

1. Should higher education institutions and public sector organisations anticipate a broader ransomware threat?

Michael: I think so for two reasons. Mainly, intellectual property (IP) is a strong pressure point when it comes to negotiation – universities that have been held to ransom will be under greater pressure to pay if they find themselves negotiating with cybercriminals. Secondly, we’re starting to see the lines between nation-state threat actors and cybercriminals being blurred. The former could be using the tactics of the latter to disguise their activities. If a nation-state actor is trying to steal IP then they might want the crime to look like it was committed by a financially motivated actor or simply generate additional revenue.  

1. How can university security or IT teams detect and respond to a RAT infection efficiently to minimise damage and prevent further compromise? 

Michael: Incident response preparedness and practicing tabletop exercises is invaluable in this scenario. Plan for the worst-case scenario. 

Mark Cunningham-Dickie: Universities face a myriad of different issues that can, and do, make detection and response to NodeSnake harder than for most organisations. Researchers, students, lecturers with personal devices, interconnected research projects with other education establishments, and in some instances disparate IT teams and differing technology stacks, means that there’s a highly transitive user and technology base. 

This often (but not always) leaves gaps in endpoint visibility, and it’s those gaps that may allow NodeSnake to persist, undetected, having access to research data and equipment. 

A lot of universities get stuck in this being too big of a problem: “We can’t make people install our EDR”, “licensing costs too much”, “that equipment is too niche”, “That’s a different IT department to the university’s main IT department”… Don’t focus on what you don’t have control over, focus on what you do have control over and how best to leverage it. 

1. What is your team currently doing to track NodeSnake and Interlock, and how will you communicate your findings? 

Michael: When we detect the characteristics of a malware, we feed it into our intelligence sharing platform. If we find a new incident, then we’ll take the malware characteristics and feed it into the platform. If we believe there’s a new iteration (our report profiles NodeSnake.A and NodeSnake.B), then we’ll either update the report or produce a new one.  

Find out more 

We hosted a webinar (inclusive of interactive Q&A) on NodeSnake and Interlock on Tuesday, 24 June 2025. Register here to watch the session on-demand. 

Please check out our Threat Intelligence Community Group to keep up to date with all the latest threat actor profiles, malware reports, and new threat intelligence bulletins.