Amazon’s threat intelligence teams have uncovered a new cyber campaign linked to the Interlock ransomware group. The campaign centers around a flaw affecting Cisco Secure Firewall Management Center (FMC) software.
The vulnerability, tracked as CVE-2026-20131, was disclosed by Cisco on March 4. It allows an unauthenticated remote attacker to execute arbitrary Java code with root privileges on affected FMC devices.
However, research conducted through Amazon MadPot, a global honeypot network designed to observe malicious activity, revealed that Interlock had already begun exploiting this flaw as early as January 26, 2026, 36 days before public disclosure.
This meant the attackers were operating with a zero-day advantage, enabling them to compromise organizations before defenders were even aware of the risk. According to Amazon’s findings, the exploitation involved crafted HTTP requests targeting specific paths in vulnerable systems.
These requests carried embedded Java code and URLs—one delivering configuration data to support the exploit, and another confirming successful compromise by triggering an HTTP PUT request from the victim system.
To deepen the investigation, researchers simulated a compromised device by responding to the attacker’s verification mechanism. This triggered the next phase of the attack, where Interlock issued commands to download and execute a malicious Linux binary.
Amazon MadPot Reveals Interlock’s Toolkit
The use of Amazon MadPot proved critical in exposing the full scope of the operation. A misconfigured infrastructure server used by the attackers inadvertently revealed their entire toolkit. This included reconnaissance scripts, custom remote access trojans (RATs), and evasion mechanisms, offering rare visibility into Interlock’s multi-stage attack chain.
The infrastructure was organized in a way that separated data by target, with directories used both to distribute tools and collect stolen information. This level of organization reflects a structured and repeatable attack methodology.
Importantly, Amazon confirmed that its own cloud infrastructure and customer workloads were not impacted by this campaign.
Interlock Ransomware Tactics and Attribution
The recovered malware and artifacts were attributed to the Interlock ransomware family based on several consistent indicators. These included a ransom note and a TOR-based negotiation portal aligned with Interlock’s known branding and operational style.
The ransom notes notably referenced multiple data protection regulations, a tactic used by Interlock to pressure victims by threatening not only data encryption but also potential regulatory penalties. Each victim was assigned a unique organization identifier, consistent with the group’s tracking model.
Historically, Interlock has targeted industries where disruption creates maximum leverage. The education sector has been the most affected, followed by engineering, construction, manufacturing, healthcare, and public sector organizations.
Temporal analysis of the attack activity suggests the operators likely function in a UTC+3 time zone, with activity typically beginning around 08:30, peaking between 12:00 and 18:00, and declining overnight.
Post-Exploitation
Once access is gained through CVE-2026-20131, Interlock deploys a range of tools to expand control within the compromised network. A PowerShell-based reconnaissance script systematically collects detailed system and network information, including installed software, running services, browser data, and active connections.
The script organizes this data into per-host directories on a centralized network share, compressing it into ZIP archives for exfiltration. This structured approach indicates preparation for large-scale ransomware deployment across multiple systems.
Interlock uses multiple RATs to maintain persistent access. One variant, written in JavaScript, suppresses debugging output and gathers system details before establishing encrypted communication with command-and-control servers via WebSockets. Messages are encrypted using RC4 with unique keys for each transmission.
A second variant, implemented in Java, provides the same capabilities using different libraries. This dual-implementation strategy ensures continued access even if one version is detected and removed.
To hide their tracks, Interlock employs a Bash script that converts compromised Linux servers into HTTP reverse proxies. These proxies forward traffic to attacker-controlled systems while erasing logs every five minutes, making forensic analysis extremely difficult.
Fileless Backdoors and Advanced Techniques
One of the more advanced components observed in the campaign is a memory-resident webshell. Delivered as a Java class, it operates entirely in memory, avoiding disk-based detection. It intercepts HTTP requests and executes encrypted payloads dynamically within the Java Virtual Machine.
Additionally, a lightweight TCP server tool was identified, used to verify successful exploitation by confirming connectivity on a specific port.
Interlock also blends malicious activity with legitimate software. The group deployed ConnectWise ScreenConnect, a commercial remote desktop tool, to maintain access while avoiding detection. This redundancy ensures attackers retain control even if custom malware is removed.
Other tools found in the attack environment include Volatility, typically used for memory forensics, and Certify, an offensive security tool targeting Active Directory Certificate Services. These tools enable credential access, privilege escalation, and persistent footholds within compromised environments.
