Pierluigi Paganini
July 14, 2025
The Interlock ransomware group is deploying a new PHP-based variant of the Interlock RAT in a broad campaign. According to researchers from the DFIR Report, in partnership with Proofpoint, it uses a delivery method known as FileFix, a variant of ClickFix, to target multiple industries.
A new PHP-based variant marks a shift from the earlier JavaScript-based Node.js version. Since May 2025, it has been linked to the KongTuke (LandUpdate808) threat cluster. The malware spreads via compromised websites using hidden scripts that prompt victims through fake CAPTCHA checks to run a PowerShell script. Both PHP and Node.js variants have been seen, with the PHP version emerging in June. The campaign is now using a FileFix delivery mechanism.
“The campaign begins with compromised websites injected with a single-line script hidden in the page’s HTML, often unbeknownst to site owners or visitors.
The linked JavaScript employs heavy IP filtering to serve the payload, which first prompts the user to click a captcha to “Verify you are human” followed by “Verification steps” to open a run command and paste in from the clipboard.” reads the DFIR report. “If pasted into the run command it will execute a PowerShell script which eventually leads to Interlock RAT.”
The PHP version executes through PowerShell, launching a PHP binary from an unusual path and using a custom config file.
FileFix, an evolution of ClickFix, exploits Windows File Explorer’s address bar to trick users into executing commands. Once installed, the Interlock RAT performs system reconnaissance, checks its privilege level (USER, ADMIN, or SYSTEM), and exfiltrates system info in JSON format. It then connects to a remote server to download and execute EXE or DLL files.
The malware conducts automated system profiling using various PowerShell commands, collecting detailed information about the system, processes, services, drives, and network.
The malware also performs hands-on-keyboard discovery, such as querying Active Directory, user accounts, and domain controllers, showing signs of attacker interaction. The researchers observed the malware establishing command and control via Cloudflare Tunnel (trycloudflare.com).
“The Interlock RAT establishes a robust command and control (C2) channel with the attackers’ infrastructure. Notably, it leverages trycloudflare.com URLs, abusing the legitimate Cloudflare Tunnel service to mask the true location of the C2 server.” continues the repert.”To enhance resilience, the malware also contains hardcoded fallback IP addresses, ensuring communication can be maintained even if the Cloudflare Tunnel is disrupted.”
Interlock RAT supports commands to download and run executables or DLLs, execute arbitrary shell commands, set up persistence via registry keys, and shut itself down. The malicious code also supports lateral movement via RDP.
“This discovery highlights the continued evolution of the Interlock group’s tooling and their operational sophistication.” concludes the report that includes Sigma and YARA rules and IOCs. “While the Node.js variant of Interlock RAT was known for its use of Node.js, this variant leverages PHP, a common web scripting language, to gain and maintain access to victim networks.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
