{"id":2928,"date":"2025-07-14T11:00:53","date_gmt":"2025-07-14T11:00:53","guid":{"rendered":"https:\/\/cert-mu.govmu.org\/cert-mu\/?page_id=2928"},"modified":"2025-07-14T11:01:51","modified_gmt":"2025-07-14T11:01:51","slug":"kongtuke-campaign-deploys-modified-interlock-rat-using-filefix-method-against-windows-environments","status":"publish","type":"page","link":"https:\/\/cert-mu.govmu.org\/cert-mu\/?page_id=2928","title":{"rendered":"KongTuke Campaign Deploys Modified Interlock RAT Using FileFix Method Against Windows Environments"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"2928\" class=\"elementor elementor-2928\" data-elementor-post-type=\"page\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-14e609a elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"14e609a\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c1d8ab1\" data-id=\"c1d8ab1\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9704e67 elementor-widget elementor-widget-text-editor\" data-id=\"9704e67\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Researchers from The DFIR Report, collaborating with Proofpoint, have uncovered a resilient PHP-based variant of the Interlock ransomware group\u2019s remote access trojan (RAT), marking a significant evolution from the previously documented JavaScript-driven NodeSnake. This adaptation, observed in campaigns linked to the LandUpdate808 threat cluster also known as KongTuke has been active since May 2025, exploiting compromised websites to deliver malicious payloads.<\/p><p>The infection chain initiates with a single-line script injected into website HTML, often undetected by site owners or visitors, which employs stringent IP filtering to selectively serve a JavaScript payload. This script deceives users into verifying their humanity via a captcha prompt, followed by instructions to paste clipboard content into the Windows Run dialog, ultimately executing a PowerShell script that deploys the Interlock RAT.<\/p><p>Proofpoint has tracked both Node.js and PHP variants, with the latter first appearing in June 2025, and recent observations indicate a shift to a FileFix delivery mechanism that deploys the PHP RAT, sometimes escalating to the Node.js version for deeper network persistence.<\/p><p><strong>Read More: <\/strong><\/p><p><a href=\"https:\/\/gbhackers.com\/kongtuke-campaign-deploys-modified-interlock-rat\/\">https:\/\/gbhackers.com\/kongtuke-campaign-deploys-modified-interlock-rat\/<\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Researchers from The DFIR Report, collaborating with Proofpoint, have uncovered a resilient PHP-based variant of the Interlock ransomware group\u2019s remote access trojan (RAT), marking a significant evolution from the previously documented JavaScript-driven NodeSnake. This adaptation, observed in campaigns linked to the LandUpdate808 threat cluster also known as KongTuke has been active since May 2025, exploiting compromised websites to deliver malicious payloads. The infection chain initiates with a single-line script injected into website HTML, often undetected by site owners or visitors, which employs stringent IP filtering to selectively serve a JavaScript payload. This script deceives users into verifying their humanity via\u2026<\/p>\n","protected":false},"author":7,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-2928","page","type-page","status-publish","hentry"],"blocksy_meta":"","_links":{"self":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages\/2928","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2928"}],"version-history":[{"count":4,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages\/2928\/revisions"}],"predecessor-version":[{"id":2933,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages\/2928\/revisions\/2933"}],"wp:attachment":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2928"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}