A sophisticated cyberattack campaign, identified as KongTuke, has been targeting Windows users by deploying an advanced variant of the Interlock Remote Access Trojan (RAT). This campaign employs a novel technique known as FileFix, marking a significant evolution from previous JavaScript-based implementations to a more robust PHP-based approach.
Background and Evolution of the Threat
Since May 2025, cybersecurity researchers have observed increased activity associated with the Interlock RAT, particularly in connection with the LandUpdate808 web-inject threat clusters, also referred to as KongTuke. The transition from JavaScript-based Interlock RAT, nicknamed NodeSnake, to a PHP-based implementation demonstrates the threat actors’ commitment to enhancing their malware’s functionality and evasion capabilities.
Infection Mechanism and Attack Chain
The KongTuke campaign initiates its attack through compromised websites, injecting single-line malicious scripts into HTML pages. These scripts often go unnoticed by both site owners and visitors. Upon visiting an infected site, users encounter a seemingly legitimate CAPTCHA verification prompt with instructions to Verify you are human. This prompt guides users through steps that ultimately lead them to open the Windows Run command dialog and paste clipboard content.
This social engineering tactic effectively bypasses traditional security awareness training, as users perceive the CAPTCHA as a standard web security measure. By following these instructions, victims inadvertently execute a PowerShell script that initiates the deployment of the Interlock RAT.
Technical Analysis of the Malware
Once executed, the PowerShell script spawns PHP processes with specific arguments, loading configuration files from non-standard locations within the user’s AppData directory. The malware utilizes the PHP executable with ZIP extension directives, as demonstrated in the following command structure:
“`
C:\Users\[REDACTED]\AppData\Roaming\php\php.exe -d extension=zip -c config.cfg
“`
Upon successful execution, the RAT conducts comprehensive system reconnaissance, collecting detailed information such as system specifications, running processes, Windows services, mounted drives, and network data through ARP table queries. This intelligence gathering enables threat actors to assess the scope of the compromise and determine the level of access rights—USER, ADMIN, or SYSTEM—for subsequent attack phases.
The malware establishes command and control communications through trycloudflare.com URLs, abusing legitimate Cloudflare Tunnel services to mask the true server locations. Additionally, it maintains hardcoded fallback IP addresses to ensure operational resilience.
Implications and Recommendations
The KongTuke campaign’s use of advanced techniques and social engineering underscores the evolving nature of cyber threats. The shift to a PHP-based Interlock RAT variant with the FileFix technique highlights the need for heightened vigilance among Windows users and organizations.
To mitigate the risk of infection:
– Exercise Caution with CAPTCHA Prompts: Be wary of CAPTCHA verifications that request unusual actions, such as copying and pasting code into system dialogs.
– Maintain Updated Security Software: Ensure that antivirus and anti-malware solutions are up to date to detect and block emerging threats.
– Regularly Update Systems: Keep operating systems and software patched to address known vulnerabilities.
– Educate Users: Provide training on recognizing and avoiding social engineering tactics employed by cybercriminals.
By implementing these measures, individuals and organizations can enhance their defenses against sophisticated malware campaigns like KongTuke.
