Interlock RAT Gets PHP Makeover: New Variant Uses Steganography & ClickFix for Stealthy Infiltration
Do Son 
Researchers from The DFIR Report, in collaboration with Proofpoint, have uncovered a stealthy and resilient variant of the Interlock ransomware group’s infamous remote access trojan (RAT), this time coded in PHP.
The latest discovery reveals an active and widespread campaign leveraging compromised websites and cleverly obfuscated scripts to deploy the new Interlock RAT variant. “This new malware, a shift from the previously identified JavaScript-based Interlock RAT (aka NodeSnake), uses PHP and is being used in a widespread campaign,” noted the DFIR researchers.
Since May 2025, activity involving Interlock RAT has intensified, particularly within the LandUpdate808 (aka KongTuke) web-inject clusters. The infection chain begins with a simple yet deceptive script embedded into a compromised website. Users are tricked into engaging with a fake CAPTCHA — a technique that culminates in executing a PowerShell command copied from the clipboard.
This initiates a sophisticated process where PowerShell spawns the PHP interpreter, loaded with suspicious arguments. “The PHP executable located in the user’s AppData\Roaming directory is invoked with directives to enable the ZIP extension, and a config (.cfg) file is passed as input,” the report states.
Once inside, Interlock RAT wastes no time. It immediately begins recon on the compromised host using a battery of PowerShell commands to extract and exfiltrate data — system info, running processes, services, network neighbors, user privileges, and mounted drives — all serialized as JSON objects. As DFIR analysts explain, “The malware also checks its own privilege level to determine if it is running as USER, ADMIN, or SYSTEM, allowing the threat actor to instantly understand the context of the compromise.”
The campaign shows evidence of “hands-on keyboard” activity, indicating real-time attacker interaction. The malware queries Active Directory, searches for user and computer accounts with certain keywords like “VEEAM” or “BACK,” and executes commands like net user %%USERNAME%% /domain and whoami to identify users and lateral movement opportunities.
Interlock RAT establishes a persistent and flexible Command and Control (C2) channel using trycloudflare.com URLs, thereby leveraging Cloudflare’s tunnel service to mask its true infrastructure. Even if these tunnels are blocked, the RAT comes prepared with hardcoded IP fallback addresses. The command structure is modular and dynamic, with capabilities to execute EXE, DLL, CMD, and persistence routines.
For persistence, the malware registers a Windows startup entry:
Lateral movement within victim networks is achieved using RDP, a clear sign of post-exploitation proficiency.
According to The DFIR Report, the campaign is opportunistic, targeting victims across various sectors rather than focusing on a particular industry. This broad targeting, combined with evasive techniques and resilient infrastructure, signals a dangerous evolution in the Interlock group’s capabilities.
“This discovery highlights the continued evolution of the Interlock group’s tooling and their operational sophistication,” the report concludes. “While the Node.js variant of Interlock RAT was known for its use of Node.js, this variant leverages PHP, a common web scripting language, to gain and maintain access to victim networks.”
Related Posts:
- Interlock Ransomware: New Threat Targets Windows & FreeBSD
- From Fake Updates to Data Exfiltration: Inside Interlock Ransomware’s Operations
- Interlock Ransomware Uses Evolving Tactics to Evade Detection
- Fake Zoom, Real Ransom: Nine-Day Malware Intrusion Ends with BlackSuit Ransomware Blast
- Fog Ransomware Group Exposed: Inside the Tools, Tactics, and Victims of a Stealthy Threat
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
