Close Menu
Cybercrime and Ransomware

New Interlock RAT Variant Emerges Through FileFix Attacks

Staff WriterBy No Comments4 Mins Read0 Views

Summary Points

  1. The Interlock ransomware group is distributing a new Remote Access Trojan (RAT) via compromised websites using an evolved ClickFix social engineering attack that tricks users into executing malicious code disguised as file updates or error resolutions.

  2. The recently used FileFix variant prompts users with a fake ‘Open File Explorer’ button that ultimately leads to the execution of malicious files by copying and pasting a path into File Explorer.

  3. Starting in May 2025, the group has been observed using a sophisticated traffic distribution system (KongTuke) that shifted from ClickFix to FileFix, delivering a PHP variant of the Interlock RAT while also utilizing Node.js in some cases.

  4. The Interlock RAT conducts system fingerprinting, maintains persistence, and leverages Cloudflare URLs for command-and-control communication, highlighting the group’s advanced operational tactics and targeting of multiple industries for opportunistic attacks.

The Issue

In May 2025, security researchers from The DFIR Report and Proofpoint unveiled alarming activity surrounding the Interlock ransomware group’s latest Remote Access Trojan (RAT), which is being disseminated through compromised websites employing a sophisticated variant of the ClickFix attack. This technique utilizes malicious code embedded within web pages, designed to deceive users into executing harmful software under the pretense of standard updates or error corrections. The newly minted FileFix variant further complicates matters by generating prompts that mislead users into thinking files have been shared with them, inadvertently launching PowerShell scripts that execute malware, leading them to deploy malicious payloads unknowingly.

The Interlock RAT operation is linked to the KongTuke traffic distribution system, which has adeptly transitioned its tactics to target victims across various industries. The malware, notably using a PHP variant, infiltrates systems stealthily while maintaining command-and-control communication through legitimate channels like Cloudflare. It systematically collects sensitive system information and enables persistent access for the attackers, evidenced by their observed hands-on-keyboard activities. The findings signify an alarming evolution in the operational proficiency of the Interlock group, casting a spotlight on the urgent need for enhanced cybersecurity measures against such opportunistic threats.

Risk Summary

The distribution of the new Interlock ransomware group’s Remote Access Trojan (RAT) poses significant risks not only to individual users and affected organizations but also to the broader ecosystem of businesses that interact with or rely upon these compromised entities. As the malware employs sophisticated social engineering techniques like ClickFix and its variant FileFix, it effectively exploits user trust and encourages them to unwittingly execute malicious code, setting a precarious precedent for information security. The potential scale of infection is alarming; once these systems are infiltrated, attackers can harvest sensitive data, assess user privileges, and execute lateral movement within networks, all while obscuring their activities through legitimate services like Cloudflare. This layered, opportunistic approach significantly heightens the possibility of cascading failures across interconnected systems—where one business’s compromise becomes a vector for further attacks—risking not just financial loss but also reputational damage and regulatory penalties across the supply chain. As industries increasingly converge in the digital realm, the ramifications of such ransomware attacks can resonate well beyond the immediate victims, creating a challenging environment for cybersecurity and collective resilience.

Possible Actions

The recent emergence of the New Interlock RAT variant via FileFix attacks underscores the criticality of prompt remediation to thwart potential breaches and ensure organizational integrity.

Mitigation & Remediation Steps

  • Immediate isolation of affected systems
  • Comprehensive malware analysis
  • Deployment of updated antivirus solutions
  • User training on phishing awareness
  • Security patch management for vulnerabilities
  • Incident response team activation
  • Forensic investigation to assess damage
  • Continuous monitoring for anomalous activities

NIST CSF Guidance
The NIST Cybersecurity Framework emphasizes a proactive approach in identifying, protecting, detecting, responding, and recovering from threats. For specific strategies related to incident management, refer to NIST SP 800-61, "Computer Security Incident Handling Guide," for detailed remediation procedures and best practices.

Continue Your Cyber Journey

Discover cutting-edge developments in Emerging Tech and industry Insights.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.