Interlock

2026-06-07
Anatomy of the Interlock Campaign: How a ClickFix Gang Learned to Burn Firewall Zero-Days
For a year, the surest way to get hit by Interlock was to paste a command into your own Run dialog. On January 26, 2026, the group stopped waiting for users to make mistakes and started exploiting a pre-auth, root-level Cisco firewall zero-day instead. The same crew now runs both ends of the sophistication ladder — and that should change how you model initial access.
ransomware interlock cisco network-appliance deserialization clickfix filefix zero-day cisa-kev double-extortion incident-anatomy

Anatomy of the Interlock Campaign: How a ClickFix Gang Learned to Burn Firewall Zero-Days