đš A fake CAPTCHA is all it takes.
Interlock ransomware is backânow pushing a stealthy PHP RAT via âFileFix,â a spin on ClickFix that hijacks File Ex.
Threat actors behind the Interlock ransomware group have unleashed a new PHP variant of its bespoke remote access trojan (RAT) as part of a widespread campaign using a variant of ClickFix called FileFix.
âSince May 2025, activity related to the Interlock RAT has been observed in connection with the LandUpdate808 (aka KongTuke) web-inject threat clusters,â The DFIR Report said in a technical analysis published today in collaboration with Proofpoint.
âThe campaign begins with compromised websites injected with a single-line script hidden in the pageâs HTML, often unbeknownst to site owners or visitors.â
Google Gemini for Workspace can be exploited to generate email summaries that appear legitimate but include malicious instructions or warnings that direct users to phishing sites without using attachments or direct links.
Such an attack leverages indirect prompt injections that are hidden inside an email and obeyed by Gemini when generating the message summary.
Despite similar prompt attacks being reported since 2024 and safeguards being implemented to block misleading responses, the technique remains successful.
Hackers have adopted the new technique called âFileFixâ in Interlock ransomware attacks to drop a remote access trojan (RAT) on targeted systems.
Interlock ransomware operations have increased over the past months as the threat actor started using the KongTuke web injector (aka âLandUpdate808â) to deliver payloads through compromised websites.
This shift in modus operandi was observed by researchers at The DFIR Report and Proofpoint since May. Back then, visitors of compromised sites were prompted to pass a fake CAPTCHA + verification, and then paste into a Run dialog content automatically saved to the clipboard, a tactic consistent with ClickFix attacks.
Dozens of Gigabyte motherboard models run on UEFI firmware vulnerable to security issues that allow planting bootkit malware that is invisible to the operating system and can survive reinstalls.
The vulnerabilities could allow attackers with local or remote admin permissions to execute arbitrary code in System Management Mode (SMM), an environment isolated from the operating system (OS) and with more privileges on the machine.
Mechanisms running code below the OS have low-level hardware access and initiate at boot time. Because of this, malware in these environments can bypass traditional security defenses on the system.
Cybersecurity researchers have discovered a set of four security flaws in OpenSynergyâs BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from different vendors.
The vulnerabilities, dubbed PerfektBlue, can be fashioned together as an exploit chain to run arbitrary code on cars from at least three major automakers, Mercedes-Benz, Volkswagen, and Skoda, according to PCA Cyber Security (formerly PCAutomotive). Outside of these three, a fourth unnamed original equipment manufacturer (OEM) has been confirmed to be affected as well.
âPerfektBlue exploitation attack is a set of critical memory corruption and logical vulnerabilities found in OpenSynergy BlueSDK Bluetooth stack that can be chained together to obtain Remote Code Execution (RCE),â the cybersecurity company said.
The attack chains begin when one of these adversary-controlled accounts messages a victim through X, Telegram, or Discord, urging them to test out their software in exchange for a cryptocurrency payment.
Should the target agree to the test, they are redirected to a fictitious website from where they are promoted to enter a registration code provided by the employee to download either a Windows Electron application or an Apple disk image (DMG) file, depending on the operating system used.
On Windows systems, opening the malicious application displays a Cloudflare verification screen to the victim while it covertly profiles the machine and proceeds to download and execute an MSI installer. Although the exact nature of the payload is unclear, itâs believed that an information stealer is run at this stage.