Threat actors behind the Interlock ransomware group have unleashed a new PHP variant of its bespoke remote access trojan (RAT) as part of a widespread campaign using a variant of ClickFix called FileFix.
"Since May 2025, activity related to the Interlock RAT has been observed in connection with the LandUpdate808 (aka KongTuke) web-inject threat clusters," The DFIR Report said in a technical analysis published today in collaboration with Proofpoint.
"The campaign begins with compromised websites injected with a single-line script hidden in the page's HTML, often unbeknownst to site owners or visitors."
The JavaScript code acts as a traffic distribution system (TDS), using IP filtering techniques to redirect users to fake CAPTCHA verification pages that leverage ClickFix to entice them into running a PowerShell script that leads to the deployment of NodeSnake (aka Interlock RAT).
The use of NodeSnake by Interlock was previously documented by Quorum Cyber as part of cyber attacks targeting local government and higher education organizations in the United Kingdom in January and March 2025. The malware facilitates persistent access, system reconnaissance, and remote command execution capabilities.
While the name of the malware is a reference to its Node.js foundations, new campaigns observed last month have led to the distribution of a PHP variant by means FileFix. The activity is assessed to be opportunistic in nature, aiming for a broad range of industries.
"This updated delivery mechanism has been observed deploying the PHP variant of the Interlock RAT, which in certain cases has then led to the deployment of the Node.js variant of the Interlock RAT," the researchers said.
FileFix is an evolution of ClickFix that takes advantage of the Windows operating system's ability to instruct victims into copying and executing commands using the File Explorer's address bar feature. It was first detailed as a proof-of-concept (PoC) last month by security researcher mrd0x.
Once installed, the RAT malware carries out reconnaissance of the infected host and exfiltrate system information in JSON format. It also checks its own privileges to determine if it's being run as USER, ADMIN, or SYSTEM, and establishes contact with a remote server to download and run EXE or DLL payloads.
Persistence on the machine is accomplished via Windows Registry changes, while the Remote Desktop Protocol (RDP) is used to enable lateral movement.
A noteworthy feature of the trojan is its abuse of Cloudflare Tunnel subdomains to obscure the true location of the command-and-control (C2) server. The malware further embeds hard-coded IP addresses as a fallback mechanism so as to ensure that the communication remains intact even if the Cloudflare Tunnel is taken down.
"This discovery highlights the continued evolution of the Interlock group's tooling and their operational sophistication," the researchers said. "While the Node.js variant of Interlock RAT was known for its use of Node.js, this variant leverages PHP, a common web scripting language, to gain and maintain access to victim networks."
Threat Actors Join the FileFix Exploitation Bandwagon
Cybersecurity firm Check Point, in an analysis published on July 16, 2025, said it has observed cybercriminals actively testing the FileFix attack method for future malware distribution. This includes a threat actor that's known for leveraging the ClickFix technique to propagate malware loaders, remote access Trojans (RATs), and information stealers.
"This threat actor has a history of targeting users of major cryptocurrency exchanges and other legitimate services," the company said. "Their primary lure technique is SEO poisoning, which involves manipulating search engine results to promote malicious sites to the top."
While the FileFix tests so far use benign payloads, the development signals an imminent shift to delivering real malware, underscoring how threat actors are swiftly incorporating new attack methods into their arsenal.
Check Point noted that FileFix is stealthier than ClickFix, as it weaponizes user trust in everyday Windows actions, such as opening Windows File Explorer, to execute harmful code without raising any suspicion.
"Threat actors began using FileFix less than two weeks after it was published, showing just how quickly cyber criminals adapt," Eli Smadja, Group Manager of Security Research at Check Point Software Technologies, said in a statement.
"Like ClickFix, this technique doesn't rely on complex exploits, but on manipulating routine user behavior. By shifting from the Run dialog to File Explorer, attackers are now hiding in plain sight, making detection harder and the threat more dangerous."
The disclosure also follows a report from BI.ZONE about how threat actors are employing ClickFix-style attacks in attacks targeting the Russian region to deliver Octowave Loader and a previously unknown remote access trojan (RAT) by means of phishing emails that redirect victims to phony websites serving bogus CAPTCHA verification checks.
The PowerShell command executed via ClickFix leads to the execution of Octowave Loader via DLL side-loading, which then launches the unclassified RAT component to gather system information and contact an external server to retrieve additional EXE or DLL payloads.
"Threat actors often send phishing emails impersonating major or well‑known organizations or reference them for credibility," BI.ZONE said. "The stronger a brand, the more likely threat actors are to exploit its identity. Recognizable logos and other branding elements make phishing emails appear more authentic, prompting victims to open them."
(The story was updated after publication on July 16, 2025, to include additional insights from Check Point and BI.ZONE.)
