A classy malware marketing campaign leveraging the KongTuke menace cluster has emerged, concentrating on Home windows customers by way of a novel FileFix method that deploys a sophisticated PHP-based variant of the Interlock distant entry trojan (RAT).
This represents a big evolution from earlier JavaScript-based implementations, demonstrating elevated operational sophistication and resilience.
Since Could 2025, cybersecurity researchers have noticed widespread exercise associated to the Interlock RAT in reference to the LandUpdate808 web-inject menace clusters, often known as KongTuke.
The marketing campaign makes use of compromised web sites as preliminary assault vectors, injecting single-line scripts into HTML pages that stay largely undetected by web site house owners and guests alike.
The DFIR Report analysts, working in partnership with Proofpoint researchers, recognized this new variant in June 2025 campaigns.
The menace actors have efficiently transitioned from their beforehand documented JavaScript-based Interlock RAT, nicknamed NodeSnake, to a extra strong PHP-based implementation that enhances each performance and evasion capabilities.
The marketing campaign’s opportunistic concentrating on strategy impacts organizations throughout a number of industries, with menace actors using refined social engineering methods to maximise an infection charges.
The malware’s evolution demonstrates the Interlock group’s continued funding in growing extra resilient and harder-to-detect assault methodologies.
An infection Mechanism Evaluation
The KongTuke FileFix assault chain begins with compromised web sites serving malicious JavaScript that employs heavy IP filtering to selectively goal particular victims.
Upon accessing an contaminated web site, customers encounter a seemingly reliable captcha verification immediate requesting them to “Confirm you might be human,” adopted by detailed verification steps that instruct victims to open Home windows Run command dialog and paste clipboard content material.
KongTuke web-inject transitioning to a FileFix variant (Supply – The DFIR Report)
This social engineering strategy successfully bypasses conventional safety consciousness coaching, as customers understand the captcha as a normal internet safety measure.
When victims adjust to the directions, they unknowingly execute a PowerShell script that initiates the Interlock RAT deployment sequence.
The execution chain demonstrates refined technical implementation, with PowerShell spawning PHP processes utilizing suspicious arguments.
The malware hundreds configuration recordsdata from non-standard places throughout the person’s AppData listing, particularly invoking the PHP executable with ZIP extension directives.
A consultant command construction seems as:-
“C:Customers[REDACTED]AppDataRoamingphpphp.exe” -d extension=zip -c config.cfg
Upon profitable execution, the RAT instantly performs complete system reconnaissance, accumulating detailed info together with system specs, working processes, Home windows providers, mounted drives, and community neighborhood information by way of ARP desk queries.
This intelligence gathering allows menace actors to shortly assess compromise scope and privilege ranges, figuring out whether or not they have USER, ADMIN, or SYSTEM entry rights for subsequent assault phases.
The malware establishes strong command and management communications by way of trycloudflare.com URLs, intentionally abusing reliable Cloudflare Tunnel providers to masks true server places whereas sustaining hardcoded fallback IP addresses for operational resilience.
Detect malware in a stay atmosphere Analyze suspicious recordsdata & URLs in ANY.RUN’s Sandbox -> Strive for Free
