Splunk ESCU 5.11 delivers two new detections and five analytic stories, along with three updated analytics to help you strengthen their security posture with broader and deeper coverage across identity, infrastructure, and exploitation tactics.

Following is a summary of the latest updates:

• Interlock Ransomware and NaiLaoLocker: Interlock Ransomware exhibits unexpected file encryption patterns such as anomalous PowerShell or CMD processes spawned from Office apps and large-scale file renaming, while NaiLaoLocker employs multi-threaded AES-256-CBC encryption with SM2 key wrapping via DLL side-loading and mutex creation to evade re-execution. We mapped all existing detections to both malware and updated the ransomware extensions and notes lookup files.
• Interlock RAT: Interlock RAT is a modular, stealthy backdoor first observed in mid-2024 that uses encrypted C2 communications and fake browser-update installers to gain persistence, capture keystrokes, and exfiltrate data. We mapped existing detections to this RAT to surface indicators such as anomalous network beaconing, persistence artifacts, and credential-theft behaviors.
• Scattered Spider (UNC3944/Scatter Swine/Oktapus/Octo Tempest/Storm-0875/Muddled Libra): Scattered Spider is an extortion-focused group using SIM-swap attacks, push-bombing MFA fatigue, and social engineering to deploy legitimate remote-access tools. For example, TeamViewer, AnyDesk, Ngrok for data theft and ransomware deployment. We mapped existing detections to this actor, covering behaviors such as MFA bombing prompts, unauthorized remote-access tool execution, and cloud API abuse.

• Interlock Ransomware
• Interlock Rat
• NailaoLocker Ransomware
• Scattered Spider

1. Splunk AppDynamics Secure Application Alerts
2. Windows Rundll32 Load DLL in Temp Dir