A sophisticated malware campaign leveraging the KongTuke threat cluster has emerged, targeting Windows users through a novel FileFix technique that deploys an advanced PHP-based variant of the Interlock remote access trojan (RAT). Upon accessing an infected site, users encounter a seemingly legitimate captcha verification prompt requesting them to “Verify you are human,” followed by detailed verification steps that instruct victims to open Windows Run command dialog and paste clipboard content. This intelligence gathering enables threat actors to quickly assess compromise scope and privilege levels, determining whether they have USER, ADMIN, or SYSTEM access rights for subsequent attack phases. The malware establishes robust command and control communications through trycloudflare.com URLs, deliberately abusing legitimate Cloudflare Tunnel services to mask true server locations while maintaining hardcoded fallback IP addresses for operational resilience. The campaign’s opportunistic targeting approach affects organizations across multiple industries, with threat actors employing sophisticated social engineering techniques to maximize infection rates. Upon successful execution, the RAT immediately performs comprehensive system reconnaissance, collecting detailed information including system specifications, running processes, Windows services, mounted drives, and network neighborhood data through ARP table queries. The threat actors have successfully transitioned from their previously documented JavaScript-based Interlock RAT, nicknamed NodeSnake, to a more robust PHP-based implementation that enhances both functionality and evasion capabilities. The KongTuke FileFix attack chain begins with compromised websites serving malicious JavaScript that employs heavy IP filtering to selectively target specific victims. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Since May 2025, cybersecurity researchers have observed widespread activity related to the Interlock RAT in connection with the LandUpdate808 web-inject threat clusters, also known as KongTuke. The campaign utilizes compromised websites as initial attack vectors, injecting single-line scripts into HTML pages that remain largely undetected by site owners and visitors alike. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This social engineering approach effectively bypasses traditional security awareness training, as users perceive the captcha as a standard web security measure.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 14 Jul 2025 13:35:08 +0000