26.06.2025
15 min
1146
A new wave of cyberattacks has been detected, where the Interlock group is leveraging a PHP-based variant of the well-known Interlock RAT. The malware is distributed via an updated delivery mechanism called FileFix, which abuses Windows address bar manipulation. The campaign targets a wide range of industries — from government to private business.
Я
According to The DFIR Report and Proofpoint, the attacks have been ongoing since May 2025. The infection chain begins with malicious JavaScript injected into compromised websites, which redirects victims to fake CAPTCHA pages.
These pages trigger FileFix — a technique that tricks users into copying and pasting a command into the Windows File Explorer address bar. This executes a PowerShell script, delivering Interlock RAT — initially as a PHP file, sometimes later escalating to a Node.js variant.
Key features of the RAT:
- Extracts system information in JSON format
- Checks user privilege level (USER / ADMIN / SYSTEM)
- Downloads additional EXE or DLL files from a remote server
- Achieves persistence via Windows registry modifications
- Uses RDP for lateral movement inside networks
- Hides its infrastructure via Cloudflare Tunnel, with backup IPs as fallback
The Interlock group was first spotted in early 2025, during attacks against UK government systems. Their primary tool is NodeSnake / Interlock RAT, built in Node.js. In July, the campaign evolved significantly: the new PHP variant was introduced, making it easier to implant in web servers and harder to detect.
The group has also shifted toward opportunistic attacks — rather than targeting specific organizations, they hit any victim that meets FileFix exploitation conditions. This case highlights how quickly cybercriminals adapt: abusing legitimate Windows UI, leveraging trusted services like Cloudflare Tunnel, and relying on common web languages (Node.js, PHP) to maintain access.
Any organization with websites or servers should be vigilant about emerging RAT modules and avoid interacting with suspicious CAPTCHA pages or system prompts.
