Toggle light / dark theme

New PHP-Based Interlock RAT Variant Uses FileFix Delivery Mechanism to Target Multiple Industries

Threat actors behind the Interlock ransomware group have unleashed a new PHP variant of its bespoke remote access trojan (RAT) as part of a widespread campaign using a variant of ClickFix called FileFix.

“Since May 2025, activity related to the Interlock RAT has been observed in connection with the LandUpdate808 (aka KongTuke) web-inject threat clusters,” The DFIR Report said in a technical analysis published today in collaboration with Proofpoint.

“The campaign begins with compromised websites injected with a single-line script hidden in the page’s HTML, often unbeknownst to site owners or visitors.”

Google Gemini flaw hijacks email summaries for phishing

Google Gemini for Workspace can be exploited to generate email summaries that appear legitimate but include malicious instructions or warnings that direct users to phishing sites without using attachments or direct links.

Such an attack leverages indirect prompt injections that are hidden inside an email and obeyed by Gemini when generating the message summary.

Despite similar prompt attacks being reported since 2024 and safeguards being implemented to block misleading responses, the technique remains successful.

Interlock ransomware adopts FileFix method to deliver malware

Hackers have adopted the new technique called ‘FileFix’ in Interlock ransomware attacks to drop a remote access trojan (RAT) on targeted systems.

Interlock ransomware operations have increased over the past months as the threat actor started using the KongTuke web injector (aka ‘LandUpdate808’) to deliver payloads through compromised websites.

This shift in modus operandi was observed by researchers at The DFIR Report and Proofpoint since May. Back then, visitors of compromised sites were prompted to pass a fake CAPTCHA + verification, and then paste into a Run dialog content automatically saved to the clipboard, a tactic consistent with ClickFix attacks.

Gigabyte motherboards vulnerable to UEFI malware bypassing Secure Boot

Dozens of Gigabyte motherboard models run on UEFI firmware vulnerable to security issues that allow planting bootkit malware that is invisible to the operating system and can survive reinstalls.

The vulnerabilities could allow attackers with local or remote admin permissions to execute arbitrary code in System Management Mode (SMM), an environment isolated from the operating system (OS) and with more privileges on the machine.

Mechanisms running code below the OS have low-level hardware access and initiate at boot time. Because of this, malware in these environments can bypass traditional security defenses on the system.

PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution

Cybersecurity researchers have discovered a set of four security flaws in OpenSynergy’s BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from different vendors.

The vulnerabilities, dubbed PerfektBlue, can be fashioned together as an exploit chain to run arbitrary code on cars from at least three major automakers, Mercedes-Benz, Volkswagen, and Skoda, according to PCA Cyber Security (formerly PCAutomotive). Outside of these three, a fourth unnamed original equipment manufacturer (OEM) has been confirmed to be affected as well.

“PerfektBlue exploitation attack is a set of critical memory corruption and logical vulnerabilities found in OpenSynergy BlueSDK Bluetooth stack that can be chained together to obtain Remote Code Execution (RCE),” the cybersecurity company said.

Fake Gaming and AI Firms Push Malware on Cryptocurrency Users via Telegram and Discord

The attack chains begin when one of these adversary-controlled accounts messages a victim through X, Telegram, or Discord, urging them to test out their software in exchange for a cryptocurrency payment.

Should the target agree to the test, they are redirected to a fictitious website from where they are promoted to enter a registration code provided by the employee to download either a Windows Electron application or an Apple disk image (DMG) file, depending on the operating system used.

On Windows systems, opening the malicious application displays a Cloudflare verification screen to the victim while it covertly profiles the machine and proceeds to download and execute an MSI installer. Although the exact nature of the payload is unclear, it’s believed that an information stealer is run at this stage.