Home > Security > Security News

Novel Interlock RAT Variant Uncovered in KongTuke FileFix Campaign Relying on Fake CAPTCHAs

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Captcha RAT

A new, highly resilient variant of the Interlock Remote Access Trojan (RAT) has surfaced, reportedly linked to the KongTuke FileFix campaign, which utilizes a delivery mechanism that includes PHP-based malware and advanced persistence techniques.

The Interlock RAT variant diverges from earlier iterations by transitioning from JavaScript-based payloads to leveraging PHP scripts, according to the latest security analysis from The DFIR Report. Delivered via compromised websites, the malware begins its attack with a malicious JavaScript web injection. 

Unsuspecting users visiting infected websites encounter a fake CAPTCHA verification followed by deceptive instructions to paste content into a command prompt. These steps execute a PowerShell script that initiates the infection chain.

Fake CAPTCHA verifications on infected websites contain malicious instructions
Fake CAPTCHA verifications on infected websites contain malicious instructions | Source: The DFIR Report

Researchers observed the updated delivery method introducing a FileFix variant, which deploys the PHP-based Interlock RAT payload. 

The malicious PowerShell script downloads and launches a PHP executable located in the user’s AppData/Roaming directory, paired with a configuration file designed to activate the RAT’s operational functionality.  

Upon execution, the Interlock RAT performs comprehensive system reconnaissance. PowerShell commands are used to collect vital system data, including processes, services, mounted drives, and local network details.  

The KongTuke FileFix campaign utilizes Cloudflare’s trycloudflare.com URLs to establish secure connectivity between the compromised system and the C2 infrastructure, effectively masking the true location of its servers. The RAT also includes fallback IP addresses to ensure resilient communication in the event of disruptions.  

Add a Comment
Related
Google’s Gemini AI Model for Workspace Exposes Users to Advanced Phishing Attacks
North Country HealthCare Breach Allegedly Impacts 600K Patients, Stormous Ransomware Claims Attack
Deportation Fuels Doxing: ICE Agents' and Families' Data Leaked Amidst Widespread Protests
macOS.ZuRu Malware Resurges via Modified Khepri C2 and Trojanized Termius App
Russian Basketball Star Daniil Kasatkin Arrested Amid Ransomware Negotiation Allegations
Four Scattered Spider Members Charged by UK Authorities in Ransomware Case
Most Popular
Google’s Gemini AI Model for Workspace Exposes Users to Advanced Phishing Attacks
North Country HealthCare Breach Allegedly Impacts 600K Patients, Stormous Ransomware Claims Attack
Deportation Fuels Doxing: ICE Agents' and Families' Data Leaked Amidst Widespread Protests
macOS.ZuRu Malware Resurges via Modified Khepri C2 and Trojanized Termius App
Pirate logo (skull and crossbones)
FBI Seizes NSW2U and Affiliate Nintendo Switch Piracy Websites
Russian Basketball Star Daniil Kasatkin Arrested Amid Ransomware Negotiation Allegations
Google’s Gemini AI Model for Workspace Exposes Users to Advanced Phishing Attacks
North Country HealthCare Breach Allegedly Impacts 600K Patients, Stormous Ransomware Claims Attack
Deportation Fuels Doxing: ICE Agents' and Families' Data Leaked Amidst Widespread Protests
macOS.ZuRu Malware Resurges via Modified Khepri C2 and Trojanized Termius App
FBI Seizes NSW2U and Affiliate Nintendo Switch Piracy Websites
Russian Basketball Star Daniil Kasatkin Arrested Amid Ransomware Negotiation Allegations

Most Popular
Google’s Gemini AI Model for Workspace Exposes Users to Advanced Phishing Attacks
North Country HealthCare Breach Allegedly Impacts 600K Patients, Stormous Ransomware Claims Attack
Deportation Fuels Doxing: ICE Agents' and Families' Data Leaked Amidst Widespread Protests
macOS.ZuRu Malware Resurges via Modified Khepri C2 and Trojanized Termius App
Pirate logo (skull and crossbones)
FBI Seizes NSW2U and Affiliate Nintendo Switch Piracy Websites
Russian Basketball Star Daniil Kasatkin Arrested Amid Ransomware Negotiation Allegations
Google’s Gemini AI Model for Workspace Exposes Users to Advanced Phishing Attacks
North Country HealthCare Breach Allegedly Impacts 600K Patients, Stormous Ransomware Claims Attack
Deportation Fuels Doxing: ICE Agents' and Families' Data Leaked Amidst Widespread Protests
macOS.ZuRu Malware Resurges via Modified Khepri C2 and Trojanized Termius App
FBI Seizes NSW2U and Affiliate Nintendo Switch Piracy Websites
Russian Basketball Star Daniil Kasatkin Arrested Amid Ransomware Negotiation Allegations

TechNadu keeps you informed with the latest in cybersecurity, VPNs, streaming, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: