Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Interlock deploys new PHP RAT via FileFix

July 16, 2025
Reading Time: 3 mins read
in Alerts
Google Realeases Critical Chrome Update

The Interlock ransomware group, known for its financially motivated attacks and double extortion tactics, has enhanced its operational sophistication by deploying a new PHP-based Remote Access Trojan (RAT). This new variant, first observed in June 2025, represents a strategic shift from their earlier JavaScript-based Node.js version, highlighting the group’s continuous adaptation in the threat landscape. The campaign, which has been linked to the KongTuke (LandUpdate808) threat cluster since May 2025, targets a broad range of industries, underscoring its opportunistic nature and widespread impact potential.

The initial infection vector for this new campaign leverages a cunning social engineering technique known as FileFix, an evolution of the previously identified ClickFix method.

Attackers inject compromised websites with hidden single-line scripts in the HTML. These scripts employ robust IP filtering to deliver the payload, which then prompts unsuspecting users with fake CAPTCHA checks designed to “Verify you are human.” Upon clicking, users are deceptively led through “Verification steps” that instruct them to open a run command window and paste content from their clipboard, unknowingly executing a malicious PowerShell script that ultimately leads to the deployment of the Interlock RAT.

Once executed, the PHP version of the Interlock RAT establishes a foothold on the victim’s system. It operates by launching a PHP binary from an unusual file path and utilizes a custom configuration file, demonstrating the group’s efforts to evade detection. The RAT immediately initiates system reconnaissance, meticulously collecting detailed information about the system, running processes, services, drives, and network configurations using various PowerShell commands.

This data, which includes the RAT’s privilege level (USER, ADMIN, or SYSTEM), is then exfiltrated to the attackers in JSON format.

The Interlock RAT further enhances its capabilities by establishing a resilient command and control (C2) channel with the attackers’ infrastructure, often abusing legitimate Cloudflare Tunnel services (trycloudflare.com) to mask the true location of the C2 server. To ensure persistent communication, the malware also incorporates hardcoded fallback IP addresses. Beyond automated profiling, the malware exhibits signs of hands-on-keyboard discovery, such as querying Active Directory, user accounts, and domain controllers, indicating direct attacker interaction and targeted data gathering.

Finally, the Interlock RAT is equipped with a versatile set of post-compromise functionalities. It supports commands to download and execute additional malicious executables or DLLs, execute arbitrary shell commands, and establish persistence on the compromised system through registry key modifications. Furthermore, the malware facilitates lateral movement within the victim’s network by leveraging Remote Desktop Protocol (RDP), allowing attackers to extend their reach and further compromise the environment. This ongoing evolution of Interlock’s tooling underscores the need for vigilant defense strategies that account for both new and adapted attack vectors.

Reference:

  • Interlock Ransomware Group Deploys New PHP-based RAT via FileFix
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityJuly 2025
ADVERTISEMENT

Related Posts

Scattered Spider Hits ESXi Servers

Scattered Spider Hits ESXi Servers

July 28, 2025
Scattered Spider Hits ESXi Servers

Malware Hides in Fake Dating Apps

July 28, 2025
Scattered Spider Hits ESXi Servers

Post SMTP Bug Exposes 200K Sites

July 28, 2025
Infostealer Hidden in Steam Game

Sophos, SonicWall Patch Critical RCE Bugs

July 25, 2025
Infostealer Hidden in Steam Game

CastleLoader Uses Clickfix on Windows

July 25, 2025
Infostealer Hidden in Steam Game

Koske Malware Hides in Panda Images

July 25, 2025

Latest Alerts

Post SMTP Bug Exposes 200K Sites

Malware Hides in Fake Dating Apps

Scattered Spider Hits ESXi Servers

CastleLoader Uses Clickfix on Windows

Sophos, SonicWall Patch Critical RCE Bugs

Koske Malware Hides in Panda Images

Subscribe to our newsletter

    Latest Incidents

    Cyberattack Hits French Naval Group

    Tea App Leak Exposes 13K Women Users

    Allianz Life Data Breach Hits Majority

    Hackers Target Amazon’s AI Code Bot

    Infostealer Hidden in Steam Game

    APTs Use Fake Dalai Lama Apps to Spy

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial