Threat actors behind the Interlock ransomware group have unleashed a new PHP variant of its bespoke remote access trojan (RAT) as part of a widespread campaign using a variant of ClickFix called FileFix.
"Since May 2025, activity related to the Interlock RAT has been observed in connection with the LandUpdate808 (aka KongTuke) web-inject threat clusters," The DFIR Report said in a technical analysis published today in collaboration with Proofpoint.
"The campaign begins with compromised websites injected with a single-line script hidden in the page's HTML, often unbeknownst to site owners or visitors."
The JavaScript code acts as a traffic distribution system (TDS), using IP filtering techniques to redirect users to fake CAPTCHA verification pages that leverage ClickFix to entice them into running a PowerShell script that leads to the deployment of NodeSnake (aka Interlock RAT).
The use of NodeSnake by Interlock was previously documented by Quorum Cyber as part of cyber attacks targeting local government and higher education organizations in the United Kingdom in January and March 2025. The malware facilitates persistent access, system reconnaissance, and remote command execution capabilities.
While the name of the malware is a reference to its Node.js foundations, new campaigns observed last month have led to the distribution of a PHP variant by means FileFix. The activity is assessed to be opportunistic in nature, aiming for a broad range of industries.
"This updated delivery mechanism has been observed deploying the PHP variant of the Interlock RAT, which in certain cases has then led to the deployment of the Node.js variant of the Interlock RAT," the researchers said.
FileFix is an evolution of ClickFix that takes advantage of the Windows operating system's ability to instruct victims into copying and executing commands using the File Explorer's address bar feature. It was first detailed as a proof-of-concept (PoC) last month by security researcher mrd0x.
Once installed, the RAT malware carries out reconnaissance of the infected host and exfiltrate system information in JSON format. It also checks its own privileges to determine if it's being run as USER, ADMIN, or SYSTEM, and establishes contact with a remote server to download and run EXE or DLL payloads.
Persistence on the machine is accomplished via Windows Registry changes, while the Remote Desktop Protocol (RDP) is used to enable lateral movement.
A noteworthy feature of the trojan is its abuse of Cloudflare Tunnel subdomains to obscure the true location of the command-and-control (C2) server. The malware further embeds hard-coded IP addresses as a fallback mechanism so as to ensure that the communication remains intact even if the Cloudflare Tunnel is taken down.
"This discovery highlights the continued evolution of the Interlock group's tooling and their operational sophistication," the researchers said. "While the Node.js variant of Interlock RAT was known for its use of Node.js, this variant leverages PHP, a common web scripting language, to gain and maintain access to victim networks."
