US EditionHackers Are Abusing 'FileFix' Technique to Drop RATs During Ransomware Attacks
JUL 14 – The Interlock ransomware group evolved its remote access trojan to a PHP variant using FileFix, a method abusing Windows UI to trick users, with activity observed since May 2025.
- Researchers identified that in June 2025, Interlock ransomware attackers began using a new FileFix technique to deploy a PHP-based remote access trojan .
- This shift followed the group’s initial emergence in September 2024 and signaled a transition from a JavaScript Node.js RAT to a PHP variant for evasion and persistence.
- Attackers employ compromised websites with injected scripts prompting victims to execute disguised commands in File Explorer, triggering PowerShell scripts that download the PHP RAT from masked Cloudflare Tunnel URLs.
- The PHP RAT executes extensive system reconnaissance, gathers network details as JSON, supports downloading executables, registry persistence, and commands remote shells, often escalating to Node.js for deeper access.
- This evolving delivery method suggests growing attacker sophistication, requiring defenders to strengthen monitoring of web-inject threats and adapt to the widespread and opportunistic Interlock ransomware campaigns.
11 Articles
11 Articles
The Interlock cybercriminal gang is refining its infiltration methods. Known for their ransomware attacks, the hackers are shifting their tactics to combine social engineering and malware. They are the first to exploit a tactic called FileFix.
New PHP-Based Interlock RAT Variant Uses FileFix Delivery Mechanism To Target Multiple Industries - Cybernoz - Cybersecurity News
Jul 14, 2025Ravie LakshmananMalware / Web Security Threat actors behind the Interlock ransomware group have unleashed a new PHP variant of its bespoke remote access trojan (RAT) as part of a widespread campaign using a variant of ClickFix called FileFix. “Since May 2025, activity related to the Interlock RAT has been observed in connection with the LandUpdate808 (aka KongTuke) web-inject threat clusters,” The DFIR Report said in a technical a…
Interlock ransomware adopts FileFix method to deliver malware | #ransomware | #cybercrime - National Cyber Security Consulting
Hackers have adopted the new technique called 'FileFix' in Interlock ransomware attacks to drop a remote access trojan (RAT) on targeted systems. Interlock ransomware operations have increased over the past months as the threat actor started using the KongTuke web injector (aka 'LandUpdate808') to deliver payloads through compromised websites. This shift in modus operandi was observed by researchers […] Thank you for subscribing to our RSS feed!…
New PHP-Based Interlock RAT Variant Uses FileFix Delivery Mechanism to Target Multiple Industries
Threat actors behind the Interlock ransomware group have unleashed a new PHP variant of its bespoke remote access trojan (RAT) as part of a widespread campaign using a variant of ClickFix called FileFix. "Since May 2025, activity related to the Interlock RAT has been observed in connection with the LandUpdate808 (aka KongTuke) web-inject threat clusters," The DFIR Report said in a technical
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
