The Interlock ransomware group is distributing a new PHP variant of its remote access trojan (RAT) named FileFix. This campaign has been linked to compromised websites, using a script hidden in HTML that redirects users to fake CAPTCHA pages. Through these pages, victims are enticed to run a PowerShell script that installs the Interlock RAT. Additional updates in the delivery method have enabled the deployment of both PHP and Node.js variants of the RAT, targeting a broad range of industries opportunistically.
Since May 2025, activity related to the Interlock RAT has been observed in connection with the LandUpdate808 (aka KongTuke) web-inject threat clusters.
The campaign begins with compromised websites injected with a single-line script hidden in the page's HTML, often unbeknownst to site owners or visitors.
This updated delivery mechanism has been observed deploying the PHP variant of the Interlock RAT, which in certain cases has then led to the deployment of the Node.js variant of the Interlock RAT.
FileFix is an evolution of ClickFix that takes advantage of the Windows operating system's ability to instruct victims into copying and executing commands using the File Explorer's address bar feature.
Collection
[
|
...
]