IABs facilitate initial infections via their own operations and may sell their access to ransomware operators. Microsoft, for instance, observed Gootloader (Hive0127, Storm-0494) handing off access to Vanilla Tempest to load the Supper backdoor before deploying INC ransomware in September 2024. In November 2025, Huntress documented similar observations where Gootloader infections lead to Tomb-crypted Supper backdoor samples. According to Guidepoint, Interlock ransomware was also deployed through initial access likely facilitated by SocGholish in January 2025, which led to what appears to be the NodeSnake downloader.
Another important enabler for these ransomware attacks are traffic distribution systems (TDS). These allow operators to redirect victims from an infected site to the right malicious target based on their browser data and a custom logic. Then, the redirection target may display a credential phishing site or serve malicious payloads. These can occur through fake downloads or via ClickFix-style attacks. Interlock-related infections have consistently been tied to one TDS in particular, tracked by Recorded Future as TAG-124 (overlapping with LandUpdate808 and KongTuke):
Recorded Future linked a September 2024 JunkFiction downloader campaign to TAG-124, which was associated with an Interlock ransomware incident documented by Cisco Talos.
Fortinet observed a likely TAG-124 ClickFix-based MintLoader infection leading to NodeSnake and backdoor samples X-Force identifies as the Supper backdoor, in an Interlock ransomware incident in March 2025.
Additional published evidence, based on shared victims and observed network communication, may even suggest a stronger relationship between Interlock operators and TAG-124 (see VB paper by Julian-Ferdinand Vögele).
Notably, before Interlock was first active, the TDS had also been used to distribute Dave-crypted Broomstick by Rhysida actors in May 2024, according to Recorded Future.
Several other public reports have documented infections where no connection has been made to a specific IAB or TDS like TAG-124/KongTuke/Landupdate808. The following campaigns used the same ClickFix-based phishing or trojanized installers downloaded from fake websites as initial access vectors:
Beazley Security Labs reported on malware, X-Force identifies as JunkFiction downloader, used to deploy the JunkFiction-crypted Supper backdoor in an Interlock-linked incident in November 2024.
Microsoft disrupted a Vanilla Tempest campaign involving trojanized installers with the Tomb-crypted Endico downloader resulting in Tomb-crypted Broomstick samples to ultimately deploy Rhysida ransomware in September 2025.
Expel reporting included the same Vanilla Tempest campaign as Microsoft, and through shared code-signing certificates further discovered what X-Force identifies as Dave-crypted IceNova (aka Latrodectus, BLACKWIDOW) and Supper likely used in adjacent initial access campaigns.
X-Force published a report on a ClickFix-based infection leading to NodeSnake, InterlockRAT, and the Interlock ransomware in early 2026.
Lastly, in a March 2026 report, Amazon threat intelligence documented an Interlock intrusion exploiting CVE-2026-20131, demonstrating the group’s ability to exploit network edge devices to achieve initial access.
Click Here For The Original Source.
