KongTuke Campaign Deploys Modified Interlock RAT Using FileFix Method Against Windows Environments

Researchers from The DFIR Report, collaborating with Proofpoint, have uncovered a resilient PHP-based variant of the Interlock ransomware group’s remote access trojan (RAT), marking a significant evolution from the previously documented JavaScript-driven NodeSnake.

This adaptation, observed in campaigns linked to the LandUpdate808 threat cluster also known as KongTuke has been active since May 2025, exploiting compromised websites to deliver malicious payloads.

Analysis Reveals Sophisticated Tradecraft

The infection chain initiates with a single-line script injected into website HTML, often undetected by site owners or visitors, which employs stringent IP filtering to selectively serve a JavaScript payload.

This script deceives users into verifying their humanity via a captcha prompt, followed by instructions to paste clipboard content into the Windows Run dialog, ultimately executing a PowerShell script that deploys the Interlock RAT.

Proofpoint has tracked both Node.js and PHP variants, with the latter first appearing in June 2025, and recent observations indicate a shift to a FileFix delivery mechanism that deploys the PHP RAT, sometimes escalating to the Node.js version for deeper network persistence.

The PHP variant demonstrates advanced execution techniques, spawning from PowerShell commands that invoke a PHP executable in the user’s AppDataRoaming directory with suspicious arguments, including ZIP extension loading and a non-standard config file.

This setup enables automated discovery, where the RAT rapidly profiles the compromised system using PowerShell to collect JSON-formatted data on system specifications via systeminfo, running processes and services through tasklist and Get-Service, mounted drives with Get-PSDrive, and local network details from the ARP table via Get-NetNeighbor.

Emerging PHP Variant

It also assesses its privilege level, distinguishing between USER, ADMIN, or SYSTEM contexts, providing attackers with immediate situational awareness.

Hands-on keyboard activity further reveals interactive sessions, evidenced by commands querying Active Directory for computer counts, user descriptions, domain user details via net user, and targeted searches for backup-related systems like Veeam using ADSI searchers.

Additional reconnaissance includes tasklist for process enumeration, nltest for domain controller listing, whoami for user identification, and directory listings in AppData.

Command and control infrastructure leverages abused Cloudflare Tunnel services through trycloudflare.com subdomains, with hardcoded fallback IPs ensuring continuity if tunnels are disrupted.

The RAT supports versatile execution capabilities: downloading and running EXE or DLL files, establishing autorun persistence via registry modifications, executing arbitrary CMD commands for remote shell access, or self-terminating with an OFF command.

Persistence is achieved by adding Run key entries in the registry, pointing to the PHP executable and config file.

Lateral movement primarily utilizes Remote Desktop Protocol (RDP) to traverse victim environments, while the campaign’s opportunistic targeting spans various industries, highlighting the group’s broadening scope.

This development underscores the Interlock group’s operational sophistication, transitioning from Node.js to PHP for enhanced evasion in Windows environments.

Ongoing monitoring by The DFIR Report and Proofpoint promises further insights, with existing customers accessing Sigma and YARA rules alongside private intelligence.

Organizations are urged to bolster defenses against web-inject threats and monitor for indicators of compromise.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.