Quorum Cyber’s Threat Intelligence team has identified two new variants of a Remote Access Trojan (RAT) tracked as NodeSnake, believed to be targeting local government and higher education organisations.

The team is actively tracking this malware, which is highly likely attributed to Interlock ransomware due to infrastructure attribution. During their investigation, the team discovered code commonality within malware deployed against two British higher education institutions within two months.

On analysis, it is probable that both NodeSnake RATs were placed within the universities by the same threat actor. Additionally, It is certain that both instances of this malware are from the same family, with the later iteration possessing considerable advancements over the earlier variant.

In a recent development, Interlock ransomware infrastructure seen targeting British universities has now been detected impacting regional councils in the country.

Threat actors can use RATs to gain remote control over infected systems, access files, monitor activities, manipulate system settings, edit, delete or exfiltrate data. They can maintain persistence within an organisation as well as to introduce additional tooling or malware to the environment.

About Interlock

First observed in September 2024, Interlock has targeted large or high-value organisations in a range of industries across North America and Europe. It’s known to employ double-extortion tactics by encrypting data and threatening to release it unless a ransom fee is paid. Unlike many other ransomware groups, Interlock does not operate as a Ransomware-as-a-Service (RaaS) and has no known affiliates. Interlock ransomware could target both Linux and Windows operating systems, providing it with broad targeting capabilities.

“We have observed threat actors increasingly targeting universities this year to exfiltrate valuable intellectual property, including research data, and possibly to test and hone new tactics, techniques, and procedures before potentially applying them in other sectors,” said Paul Caiazzo, Chief Threat Officer at Quorum Cyber. “Theft of research data suggests an espionage motivation, and as such our Threat Intelligence team continues to monitor Interlock and its use of the NodeSnake variants so that we can advise organisations across sectors on practical steps they can take to prevent the theft of their intellectual property.”

Learn more about NodeSnake

Quorum Cyber’s NodeSnake report contains a detailed technical analysis of both variants and gives recommendations to mitigate the effects of the malware. You’ll find a large collection of threat actor profiles and malware reports on our website, and you can contact us at any time to discuss how to protect your organisation against cybercrime groups and malware.

Register here to watch our webinar on-demand, hosted on 24 June 2025, and called: NodeSnake Explained: How to Detect and Defend Against It.