Interlock Ransomware Group Introduces New PHP-Based RAT via FileFix
Explore the latest campaign by the Interlock ransomware group deploying a new PHP-based RAT through FileFix, targeting multiple industries with advanced tactics.
TL;DR
The Interlock ransomware group has launched a widespread campaign using a new PHP-based Remote Access Trojan (RAT) delivered via FileFix. This shift from JavaScript-based Node.js to PHP highlights the group’s evolving tactics, targeting multiple industries through compromised websites and sophisticated delivery mechanisms.
Interlock Ransomware Group Deploys New PHP-Based RAT via FileFix
The Interlock ransomware group has introduced a new PHP-based variant of the Interlock RAT in an extensive campaign. Researchers from the DFIR Report, in collaboration with Proofpoint, have identified this campaign, which employs a delivery method known as FileFix, a variant of ClickFix, to target various industries.
Shift to PHP-Based RAT
This new PHP-based variant marks a transition from the earlier JavaScript-based Node.js version. Since May 2025, this variant has been associated with the KongTuke (LandUpdate808) threat cluster. The malware spreads through compromised websites using hidden scripts that deceive victims via fake CAPTCHA checks, prompting them to run a PowerShell script. Both PHP and Node.js variants have been observed, with the PHP version emerging in June. The campaign now utilizes a FileFix delivery mechanism.
“The campaign begins with compromised websites injected with a single-line script hidden in the page’s HTML, often unbeknownst to site owners or visitors. The linked JavaScript employs heavy IP filtering to serve the payload, which first prompts the user to click a captcha to ‘Verify you are human’ followed by ‘Verification steps’ to open a run command and paste in from the clipboard. If pasted into the run command it will execute a PowerShell script which eventually leads to Interlock RAT.” reads the DFIR report.
Delivery and Execution Mechanism
The PHP version executes through PowerShell, launching a PHP binary from an unusual path and using a custom config file. FileFix, an evolution of ClickFix, exploits Windows File Explorer’s address bar to trick users into executing commands. Once installed, the Interlock RAT performs system reconnaissance, checks its privilege level (USER, ADMIN, or SYSTEM), and exfiltrates system info in JSON format. It then connects to a remote server to download and execute EXE or DLL files.
The malware conducts automated system profiling using various PowerShell commands, collecting detailed information about the system, processes, services, drives, and network. It also performs hands-on-keyboard discovery, such as querying Active Directory, user accounts, and domain controllers, showing signs of attacker interaction. The researchers observed the malware establishing command and control via Cloudflare Tunnel (trycloudflare.com).
“The Interlock RAT establishes a robust command and control (C2) channel with the attackers’ infrastructure. Notably, it leverages trycloudflare.com URLs, abusing the legitimate Cloudflare Tunnel service to mask the true location of the C2 server. To enhance resilience, the malware also contains hardcoded fallback IP addresses, ensuring communication can be maintained even if the Cloudflare Tunnel is disrupted.” continues the report.
Capabilities and Impact
Interlock RAT supports commands to download and run executables or DLLs, execute arbitrary shell commands, set up persistence via registry keys, and shut itself down. The malicious code also supports lateral movement via RDP.
“This discovery highlights the continued evolution of the Interlock group’s tooling and their operational sophistication.” concludes the report that includes Sigma and YARA rules and IOCs. “While the Node.js variant of Interlock RAT was known for its use of Node.js, this variant leverages PHP, a common web scripting language, to gain and maintain access to victim networks.”
Follow for More Updates
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
For more details, visit the full article: source
Conclusion
The Interlock ransomware group’s shift to a PHP-based RAT delivered via FileFix underscores their adaptability and sophistication. This campaign highlights the ongoing threat posed by evolving malware tactics, emphasizing the need for robust cybersecurity measures to protect against such advanced threats.