KongTuke Attacking Windows Users With New Interlock RAT Variant Using FileFix Technique

A sophisticated malware campaign leveraging the KongTuke threat cluster has emerged, targeting Windows users through a novel FileFix technique that deploys an advanced PHP-based variant of the Interlock remote access trojan (RAT).

This represents a significant evolution from previous JavaScript-based implementations, demonstrating increased operational sophistication and resilience.

Since May 2025, cybersecurity researchers have observed widespread activity related to the Interlock RAT in connection with the LandUpdate808 web-inject threat clusters, also known as KongTuke.

The campaign utilizes compromised websites as initial attack vectors, injecting single-line scripts into HTML pages that remain largely undetected by site owners and visitors alike.

The DFIR Report analysts, working in partnership with Proofpoint researchers, identified this new variant in June 2025 campaigns.

The threat actors have successfully transitioned from their previously documented JavaScript-based Interlock RAT, nicknamed NodeSnake, to a more robust PHP-based implementation that enhances both functionality and evasion capabilities.

The campaign’s opportunistic targeting approach affects organizations across multiple industries, with threat actors employing sophisticated social engineering techniques to maximize infection rates.

The malware’s evolution demonstrates the Interlock group’s continued investment in developing more resilient and harder-to-detect attack methodologies.

Infection Mechanism Analysis

The KongTuke FileFix attack chain begins with compromised websites serving malicious JavaScript that employs heavy IP filtering to selectively target specific victims.

Upon accessing an infected site, users encounter a seemingly legitimate captcha verification prompt requesting them to “Verify you are human,” followed by detailed verification steps that instruct victims to open Windows Run command dialog and paste clipboard content.

This social engineering approach effectively bypasses traditional security awareness training, as users perceive the captcha as a standard web security measure.

When victims comply with the instructions, they unknowingly execute a PowerShell script that initiates the Interlock RAT deployment sequence.

The execution chain demonstrates sophisticated technical implementation, with PowerShell spawning PHP processes using suspicious arguments.

The malware loads configuration files from non-standard locations within the user’s AppData directory, specifically invoking the PHP executable with ZIP extension directives.

A representative command structure appears as:-

"C:Users[REDACTED]AppDataRoamingphpphp.exe" -d extension=zip -c config.cfg

Upon successful execution, the RAT immediately performs comprehensive system reconnaissance, collecting detailed information including system specifications, running processes, Windows services, mounted drives, and network neighborhood data through ARP table queries.

This intelligence gathering enables threat actors to quickly assess compromise scope and privilege levels, determining whether they have USER, ADMIN, or SYSTEM access rights for subsequent attack phases.

The malware establishes robust command and control communications through trycloudflare.com URLs, deliberately abusing legitimate Cloudflare Tunnel services to mask true server locations while maintaining hardcoded fallback IP addresses for operational resilience.

Detect malware in a live environment Analyze suspicious files & URLs in ANY.RUN’s Sandbox -> Try for Free