New PHP-Based Interlock RAT Targets Multiple Industries via FileFix

Edward Zhou
Edward Zhou

CEO & Founder

 
July 16, 2025 3 min read

New PHP-Based Interlock RAT Variant Uses FileFix Delivery Mechanism to Target Multiple Industries

The Interlock ransomware group has introduced a PHP variant of its remote access trojan (RAT) as part of a campaign leveraging a ClickFix variant known as FileFix. This new tool targets various industries since May 2025, according to a report by the DFIR Report in collaboration with Proofpoint.

"Since May 2025, activity related to the Interlock RAT has been observed in connection with the LandUpdate808 (aka KongTuke) web-inject threat clusters," the report states. The campaign begins with compromised websites, where a hidden script is injected into the HTML, often without knowledge of the site owners or visitors.

The embedded JavaScript acts as a traffic distribution system (TDS), redirecting users to counterfeit CAPTCHA verification pages. This process entices users to execute a PowerShell script that ultimately deploys the NodeSnake (aka Interlock RAT). The malware is designed for persistent access, system reconnaissance, and remote command execution capabilities.

New campaigns have observed the distribution of this PHP variant through FileFix, which leverages the Windows operating system's capabilities to instruct victims into executing commands via File Explorer's address bar. Once installed, the malware carries out reconnaissance of the infected host, exfiltrating system information in JSON format. It checks for privileges (USER, ADMIN, or SYSTEM) and establishes contact with a remote server to download and execute EXE or DLL payloads.

Persistence is achieved through changes to the Windows Registry, while lateral movement is facilitated via the Remote Desktop Protocol (RDP). A significant feature of the trojan is its use of Cloudflare Tunnel subdomains to mask the true location of the command-and-control (C2) server, ensuring communication remains intact even if the Cloudflare Tunnel is disrupted.

"This discovery highlights the continued evolution of the Interlock group's tooling and their operational sophistication," researchers noted. The shift to PHP from Node.js marks a notable change in their attack strategy.

Interlock RAT Functionality and Deployment

The Interlock ransomware group's deployment of its new PHP-based RAT via FileFix marks a significant shift in their operational tactics. Researchers from the DFIR Report, in collaboration with Proofpoint, confirm that this new variant is being distributed through compromised websites using hidden scripts to prompt victims into running a PowerShell script.

“The campaign begins with compromised websites injected with a single-line script hidden in the page’s HTML, often unbeknownst to site owners or visitors,” the DFIR report explains. This method utilizes heavy IP filtering to serve the payload, which prompts the user to interact with fake CAPTCHA checks to execute the malicious script.

Interlock RAT
Image courtesy of Security Affairs

The PHP version executes through PowerShell and launches from an unusual path using a custom configuration file. FileFix, an evolution of ClickFix, exploits Windows File Explorer’s address bar to trick users into executing commands. Once installed, the Interlock RAT performs reconnaissance and exfiltrates system information, establishing a robust command and control channel with attackers' infrastructure.

“The Interlock RAT establishes a robust command and control (C2) channel with the attackers’ infrastructure,” the report continues. This variant also contains hardcoded fallback IP addresses, ensuring continuous communication even if the primary C2 is disrupted.

Interlock RAT supports various commands, including downloading and executing executables or DLLs, executing arbitrary shell commands, and setting up persistence via registry keys. This evolution of the RAT indicates a more sophisticated approach to cyber threats.

For further information on the evolving landscape of cybersecurity threats and tools, consider checking these resources: Malware Analysis, News and Indicators, Interlock ransomware group, and Cloudflare Tunnel.

Explore our services at Gopher Security for cutting-edge cybersecurity solutions tailored to your needs. Contact us for more information.

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article