KongTuke FileFix Leads to New Interlock RAT Variant

Researchers report a new PHP-based variant of the Interlock RAT used by the Interlock ransomware group in a widespread web-inject campaign (KongTuke/LandUpdate808) since May–June 2025; the malware is delivered via single-line injected scripts that prompt victims into executing PowerShell chains, establishes resilient C2 using trycloudflare.com tunnels and fallback IPs, performs extensive system reconnaissance and discovery, achieves persistence via Run keys, and facilitates lateral movement (RDP), with IOCs including domains, IPs, and config file hashes provided.