Analysis Summary

A sophisticated malware campaign attributed to the KongTuke threat cluster has been identified targeting Windows users through a newly introduced FileFix technique. This campaign marks a significant shift in the deployment of the Interlock remote access trojan (RAT), transitioning from earlier JavaScript-based variants like NodeSnake to a more advanced PHP-based version. Active since May 2025, the malware demonstrates an increased level of sophistication, operational security, and evasion capabilities, signifying the threat actor’s ongoing investment in resilient tooling. The activity has been closely tracked by analysts at The DFIR Report and Proofpoint, who confirmed its widespread use in connection with the LandUpdate808/KongTuke clusters.

According to the Researcher, the infection chain begins with the compromise of legitimate websites, where threat actors inject single-line JavaScript into HTML pages. These scripts use advanced IP filtering techniques to deliver malicious content only to select victims, minimizing detection. Once a targeted user lands on an infected page, they are shown a fake CAPTCHA verification prompt that appears authentic. The user is then tricked into running a Windows command copied from the clipboard, which executes a PowerShell command designed to launch the Interlock RAT. This social engineering approach is highly deceptive, easily bypassing traditional user awareness training due to the convincing nature of the prompt.

The PowerShell script triggers a PHP-based RAT payload using unusual process arguments and configurations, including ZIP extension directives. The malware stores and runs from non-standard locations within the victim’s AppData directory, leveraging the PHP executable with an altered configuration file. The command used resembles: "C:\Users\[REDACTED]\AppData\Roaming\php\php.exe" -d extension=zip -c config.cfg. Once deployed, the RAT immediately begins detailed system reconnaissance, harvesting information such as system specs, running processes, services, mounted drives, and ARP table data to assess its environment and privilege level: USER, ADMIN, or SYSTEM.

To maintain persistence and evade detection, the malware establishes command and control (C2) communication via Cloudflare Tunnel links (e.g., trycloudflare.com URLs), which obscure the actual server locations. Additionally, hardcoded fallback IP addresses are embedded within the malware to ensure operational continuity in case the Cloudflare tunnels fail. This layered infrastructure demonstrates a highly strategic approach to persistence and evasion, confirming KongTuke’s advanced capabilities and the growing threat posed by this evolving malware campaign.

Impact

• Sensitive Information Theft
• Gain Access
• Security Bypass

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement application whitelisting to block unauthorized execution of PHP and PowerShell scripts, especially from AppData directories.
• Monitor outbound traffic for connections to trycloudflare.com and unidentified IP addresses to detect potential C2 activity.
• Deploy EDR/XDR solutions capable of identifying abnormal PowerShell behavior and detecting fileless malware techniques.
• Restrict PowerShell usage by enforcing execution policies that allow only signed and approved scripts.
• Regularly inspect user AppData directories for suspicious files such as rogue PHP executables or unexpected config files like config.cfg.
• Use threat intelligence and URL filtering to block access to compromised or known malicious websites.
• Conduct updated user awareness training to recognize deceptive tactics like fake captchas and clipboard-based social engineering.