The Interlock ransomware group, known for its financially motivated attacks and double extortion tactics, has enhanced its operational sophistication by deploying a new PHP-based Remote Access Trojan (RAT). This new variant, first observed in June 2025, represents a strategic shift from their earlier JavaScript-based Node.js version, highlighting the group’s continuous adaptation in the threat landscape. The campaign, which has been linked to the KongTuke (LandUpdate808) threat cluster since May 2025, targets a broad range of industries, underscoring its opportunistic nature and widespread impact potential.
The initial infection vector for this new campaign leverages a cunning social engineering technique known as FileFix, an evolution of the previously identified ClickFix method.
Attackers inject compromised websites with hidden single-line scripts in the HTML. These scripts employ robust IP filtering to deliver the payload, which then prompts unsuspecting users with fake CAPTCHA checks designed to “Verify you are human.” Upon clicking, users are deceptively led through “Verification steps” that instruct them to open a run command window and paste content from their clipboard, unknowingly executing a malicious PowerShell script that ultimately leads to the deployment of the Interlock RAT.
Once executed, the PHP version of the Interlock RAT establishes a foothold on the victim’s system. It operates by launching a PHP binary from an unusual file path and utilizes a custom configuration file, demonstrating the group’s efforts to evade detection. The RAT immediately initiates system reconnaissance, meticulously collecting detailed information about the system, running processes, services, drives, and network configurations using various PowerShell commands.
This data, which includes the RAT’s privilege level (USER, ADMIN, or SYSTEM), is then exfiltrated to the attackers in JSON format.
The Interlock RAT further enhances its capabilities by establishing a resilient command and control (C2) channel with the attackers’ infrastructure, often abusing legitimate Cloudflare Tunnel services (trycloudflare.com) to mask the true location of the C2 server. To ensure persistent communication, the malware also incorporates hardcoded fallback IP addresses. Beyond automated profiling, the malware exhibits signs of hands-on-keyboard discovery, such as querying Active Directory, user accounts, and domain controllers, indicating direct attacker interaction and targeted data gathering.
Finally, the Interlock RAT is equipped with a versatile set of post-compromise functionalities. It supports commands to download and execute additional malicious executables or DLLs, execute arbitrary shell commands, and establish persistence on the compromised system through registry key modifications. Furthermore, the malware facilitates lateral movement within the victim’s network by leveraging Remote Desktop Protocol (RDP), allowing attackers to extend their reach and further compromise the environment. This ongoing evolution of Interlock’s tooling underscores the need for vigilant defense strategies that account for both new and adapted attack vectors.
Reference: