The DFIR Report

🚨 KongTuke FileFix Leads to New Interlock RAT Variant

Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). This new malware, a shift from the previously identified JavaScript-based Interlock RAT (aka NodeSnake), uses PHP and is being used in a widespread campaign.

🧅 Attack Chain
FileFix lure ➡️ PowerShell ➡️ Obfuscated PHP RAT

🧠 Key Capabilities
🔍 Automated Discovery
‣ Enumerates processes, services, ARP tables, and user context

🛠️ Hands-On-Keyboard Activity
‣ net user, tasklist, nltest, whoami, dir, and more

⚙️ Execution & Persistence
‣ Runs EXE, DLL, and shell commands
‣ Establishes persistence via registry Run key

📖 Full Report:

https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interlock-rat-variant/

#DFIR #ThreatIntel #InterlockRAT #FileFix #CyberSecurity #ThreatHunting #Infosec #IncidentResponse #cyberthreatintelligence #ransomware

KongTuke FileFix Leads to New Interlock RAT Variant

Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). This new malware,…

The DFIR Report
Jul 14, 2025 at 11:28amWeb