Targeted Threat: New PHP Interlock RAT Uses FileFix to Strike Multiple Industries

Quick Takeaways

1. New Ransomware Variant: The Interlock ransomware group has launched a PHP variant of its remote access trojan (RAT), utilizing a tool called FileFix, in a widespread campaign since May 2025.

2. Infection Tactics: The campaign involves compromised websites injecting scripts that redirect users to fake CAPTCHA pages, prompting download and execution of the Interlock RAT via PowerShell.

3. Operational Features: Once deployed, the RAT performs system reconnaissance, exfiltrates data, and uses Windows Registry changes for persistence, alongside exploiting Cloudflare Tunnel subdomains for command-and-control communication.

4. Evolving Threat Landscape: The research highlights the operational sophistication of the Interlock group, adapting their malware delivery mechanisms to target a broad range of industries with increasing complexity.

The Issue

In a recent security analysis reported by Ravie Lakshmanan on July 14, 2025, it has come to light that the Interlock ransomware group has advanced its cybercriminal tactics by deploying a new PHP variant of its remote access trojan (RAT), referred to as NodeSnake, integrated into a broader campaign utilizing an evolved mechanism known as FileFix. This sophisticated operation, originating around May 2025 and detailed in collaboration with Proofpoint by the DFIR Report, exploits compromised websites. These sites unwittingly host a malicious one-line script embedded within their HTML. This script acts as a traffic distribution system (TDS), redirecting users to bogus CAPTCHA pages, which then prompt the execution of PowerShell scripts to install the NodeSnake malware.

The implications of this cyber onslaught are extensive, targeting a broad spectrum of industries through opportunistic infiltration tactics. Notably, the previously identified Node.js variant of Interlock RAT was specifically documented in attacks against local government and higher education sectors in the UK earlier this year. The PHP variant enhances the group’s operational sophistication, cleverly utilizing Cloudflare Tunnel subdomains to obscure command-and-control communications, while also embedding fallback IP addresses to maintain connectivity even under threat mitigation efforts. This escalation in technical acumen highlights the relentless evolution of cyber threats in today’s digital landscape, emphasizing the imperative for robust cybersecurity measures.

Risks Involved

The proliferation of the Interlock ransomware group’s PHP variant of its remote access trojan (RAT) significantly elevates risks not only for immediate targets but also for a wide spectrum of businesses, users, and organizations that may inadvertently intersect with this cyber threat landscape. As compromised websites disseminate malicious scripts unnoticed, the consequential compromise of user systems can lead to extensive data breaches, operational disruptions, and financial losses across industries. Moreover, the opportunistic nature of the attacks—exploiting vulnerabilities in various platforms—implies that the ramifications could ripple outward, affecting interconnected systems and supply chains. Organizations could find themselves embroiled in reputational damage, regulatory scrutiny, and cascading failures within their networks, underscoring the critical need for robust cybersecurity measures to counteract these evolving threats and to safeguard both individual and collective digital infrastructures.

Possible Remediation Steps

The rapid emergence of threats such as the New PHP-Based Interlock RAT Variant underscores the critical necessity for swift remediation efforts across various sectors to safeguard sensitive information and maintain operational integrity.

Mitigation Measures

1. Immediate Patch Deployment
2. Intrusion Detection Systems
3. Network Segmentation
4. User Access Control
5. Regular System Audits
6. Security Awareness Training
7. Incident Response Plan Activation
8. Threat Intelligence Integration

NIST CSF Guidance
The NIST Cybersecurity Framework (CSF) emphasizes risk management and proactive defense strategies. For comprehensive details, refer specifically to NIST SP 800-53, which outlines security and privacy controls essential for mitigating such risks effectively.

Continue Your Cyber Journey

Explore career growth and education via Careers & Learning, or dive into Compliance essentials.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1