Threat Evolves

From ClickFix to FileFix: A New Era of Deception from the Interlock Ransomware Group

Shakti Sharma
4 Min Read

The Interlock ransomware group, a name that has become synonymous with cyber threats, has made a significant change to its arsenal. They are now deploying a new version of their Remote Access Trojan (RAT) that uses PHP, a common web scripting language. This is a big shift from their earlier tool, which was based on JavaScript and Node.js. Since May 2025, this new PHP variant has been connected to a group of online criminals known as the KongTuke (LandUpdate808) threat cluster, with the PHP version specifically appearing in June. This change means the malware can potentially affect more systems and operate in new ways.

“Centre for Police Technology” Launched as Common Platform for Police, OEMs, and Vendors to Drive Smart Policing

How They Trick Victims: The FileFix Method

The way Interlock spreads this new malware is quite sneaky. They use a method called FileFix, which is an updated version of a trick called ClickFix. The whole process starts on websites that have been secretly tampered with. These compromised websites have a hidden piece of code embedded in their HTML. This code then makes a fake CAPTCHA check appear on the victim’s screen, asking them to “Verify you are human.” To do this, the victim is prompted to open a “run command” and paste something from their clipboard. If the victim falls for this trick and pastes the content, it runs a PowerShell script. This script then secretly launches the PHP-based RAT, giving the attackers a way into the computer.

What the New Malware Can Do

Once the Interlock RAT gets onto a computer, it’s designed to do a lot of damage. It immediately starts to gather information about the system, a process known as “system reconnaissance.” It checks the user’s privilege level (whether they are a regular user, an administrator, or a system user) and then collects detailed system information, like what processes are running, services, drives, and network details, all neatly packaged in a JSON format. After collecting this data, it connects to a remote server to download and run more harmful files, such as executable (.exe) or dynamic link library (.dll) files. The malware can also perform “hands-on-keyboard discovery,” meaning it can actively look for information by querying things like Active Directory, user accounts, and domain controllers, showing that the attackers are directly interacting with the compromised system.

Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services

Staying Hidden and Resilient

One of the most concerning aspects of this new Interlock RAT is its ability to stay hidden and keep working even when faced with security measures. The malware sets up a very strong “command and control” (C2) channel, which is how it communicates with the attackers. It does this by using legitimate Cloudflare Tunnel URLs (specifically trycloudflare.com), which helps to hide the true location of the C2 server. This makes it much harder for cybersecurity experts to track down where the attacks are coming from. To make sure it can always communicate, even if Cloudflare Tunnel is disrupted, the malware also has backup IP addresses built into its code. The Interlock RAT is also capable of executing various commands, setting up ways to stay on the system (persistence) using registry keys, and even shutting itself down.

Stay Connected