{"id":217897,"date":"2025-07-15T02:15:27","date_gmt":"2025-07-15T07:15:27","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/07\/new-php-based-interlock-rat-variant-uses-filefix-delivery-mechanism-to-target-multiple-industries"},"modified":"2025-07-15T02:15:27","modified_gmt":"2025-07-15T07:15:27","slug":"new-php-based-interlock-rat-variant-uses-filefix-delivery-mechanism-to-target-multiple-industries","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/07\/new-php-based-interlock-rat-variant-uses-filefix-delivery-mechanism-to-target-multiple-industries","title":{"rendered":"New PHP-Based Interlock RAT Variant Uses FileFix Delivery Mechanism to Target Multiple Industries"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/new-php-based-interlock-rat-variant-uses-filefix-delivery-mechanism-to-target-multiple-industries.jpg\"><\/a><\/p>\n<p>Threat actors behind the Interlock ransomware group have unleashed a new PHP variant of its bespoke remote access trojan (RAT) as part of a widespread campaign using a variant of ClickFix called FileFix.<\/p>\n<p>\u201cSince May 2025, activity related to the Interlock RAT has been observed in connection with the <a href=\"https:\/\/thehackernews.com\/2025\/06\/anubis-ransomware-encrypts-and-wipes.html\" rel=\"noopener\" target=\"_blank\">LandUpdate808<\/a> (aka KongTuke) web-inject threat clusters,\u201d The DFIR Report <a href=\"https:\/\/thedfirreport.com\/2025\/07\/14\/kongtuke-filefix-leads-to-new-interlock-rat-variant\/\" rel=\"noopener\" target=\"_blank\">said<\/a> in a technical analysis published today in collaboration with Proofpoint.<\/p>\n<p>\u201cThe campaign begins with compromised websites injected with a single-line script hidden in the page\u2019s HTML, often unbeknownst to site owners or visitors.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Threat actors behind the Interlock ransomware group have unleashed a new PHP variant of its bespoke remote access trojan (RAT) as part of a widespread campaign using a variant of ClickFix called FileFix. \u201cSince May 2025, activity related to the Interlock RAT has been observed in connection with the LandUpdate808 (aka KongTuke) web-inject threat clusters,\u201d [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-217897","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/217897","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=217897"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/217897\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=217897"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=217897"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=217897"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}