KongTuke FileFix Leads to New Interlock RAT Variant
Essential information
- Published
- 15/07/2025 08:57
- Modified
- 15/07/2025 09:46
- Tags
- 2025-07-15 cloudflare tunnel filefix interlock rat kongtuke nodesnake reconnaissance web inject
- Related entities
- 12 observables, 1 intrusion sets (apt), 16 techniques (mitre), 2 malware
Description
A new and resilient variant of the Interlock ransomware group's remote access trojan (RAT) has been identified. This PHP-based malware, a shift from the previous JavaScript-based NodeSnake, is being used in a widespread campaign associated with the LandUpdate808 (KongTuke) web-inject threat clusters. The campaign begins with compromised websites injected with a hidden script, employing IP filtering to serve the payload. The malware performs automated reconnaissance, establishes command and control through Cloudflare Tunnels, and has various execution capabilities. It uses PowerShell for system profiling and discovery, creates persistence through registry modifications, and leverages RDP for lateral movement. The campaign appears to be opportunistic, targeting multiple industries.