New Interlock Campaign Leverages KongTuke FileFix to Hijack Windows Systems

Threat Group: Interlock (formerly NodeSnake)
Threat Type: Remote Access Trojan (RAT) via Social Engineering and File Explorer Execution
Exploited Vulnerabilities: Clipboard hijacking, execution via Windows File Explorer, Cloudflare tunnel abuse, Mark of the Web (MOTW) bypass
Malware Used: Interlock RAT (PHP and optional Node.js variant)
Threat Score: 🟠 Elevated (6.1/10) – Multi-stage delivery, persistent, stealthy via legitimate cloud tunnels
Last Threat Observation: 16 July 2025

Overview

The KongTuke FileFix campaign represents a significant evolution in cyberattack methodologies. Initially observed in July 2025, it employs a sophisticated social engineering tactic exploiting the Windows File Explorer to deliver Interlock RAT payloads. Rather than relying on traditional initial access vectors like malicious email attachments, attackers manipulate users into pasting clipboard content into File Explorer’s address bar, thereby executing malicious PowerShell commands.

The campaign utilizes the KongTuke Traffic Distribution System (TDS), also known as LandUpdate808, to redirect users to fake CAPTCHA or file-sharing pages. These pages encourage users to copy and paste disguised command strings into File Explorer. These strings execute payloads via PowerShell, deploying either PHP-based or Node.js-based variants of the Interlock RAT.

Key evasion techniques include the bypass of the Mark of the Web (MOTW) security feature, allowing payloads to evade standard security warnings. Additionally, C2 infrastructure leverages Cloudflare Tunnels for traffic obfuscation and hardcoded fallback IPs for redundancy. Interlock RAT's advanced capabilities, including persistence, lateral movement, and data exfiltration, elevate its threat profile.

Key Details

Delivery Method:

• Redirects from legitimate but compromised websites using KongTuke (LandUpdate808) TDS
• Deceptive social engineering via fake CAPTCHA/file-sharing pages
• Clipboard command disguised as a file path, executed in File Explorer
• PowerShell launches and executes PHP or Node.js RATs

Target:

• Enterprise Windows environments
• Critical sectors: Healthcare, Education, Defense Industrial Base (DIB)

Functions:

• Reconnaissance (systeminfo, Net view, Active Directory queries)
• Execution of shell commands
• Remote access via C2
• Data exfiltration
• Persistence through registry and shortcut files

Obfuscation:

• Cloudflare Tunnel-based C2 (trycloudflare[.]com)
• MOTW bypass via File Explorer execution
• Command strings designed to resemble file paths
• Multi-language payload delivery (PHP, Node.js, PowerShell)

Attack Vectors

1. Users redirected from compromised sites to fake interfaces.
2. Social engineering prompts clipboard copy of disguised commands.
3. File Explorer execution bypasses MOTW protections.
4. PowerShell downloads Interlock RAT payloads.
5. C2 channels established via trycloudflare[.]com and IP failover.
6. Persistence and lateral movement initiated post-compromise.

Indicators of Compromise (IoCs)

FileHash-SHA256

• 28a9982cf2b4fc53a1545b6ed0d0c1788ca9369a847750f5652ffa0ca7f7b7d3
• 8afd6c0636c5d70ac0622396268786190a428635e9cf28ab23add939377727b0

IP Addresses (Defanged)

• 184[.]95[.]51[.]165
• 64[.]95[.]12[.]71

URLs (Defanged)

• hxxp://deadly-programming-attorneys-our[.]trycloudflare[.]com

Hostnames (Defanged)

• deadly-programming-attorneys-our[.]trycloudflare[.]com
• evidence-deleted-procedure-bringing[.]trycloudflare[.]com
• existed-bunch-balance-councils[.]trycloudflare[.]com
• ferrari-rolling-facilities-lounge[.]trycloudflare[.]com
• galleries-physicians-psp-wv[.]trycloudflare[.]com
• nowhere-locked-manor-hs[.]trycloudflare[.]com
• ranked-accordingly-ab-hired[.]trycloudflare[.]com

Mitigation and Prevention

User Awareness:

• Train users to avoid pasting clipboard content into system interfaces
• Reinforce skepticism toward unexpected browser prompts

Email and Web Filtering:

• Block known KongTuke and Interlock domains
• Monitor traffic to trycloudflare subdomains for anomalies

Antivirus Protection:

• Restrict execution of php.exe, powershell.exe, cmd.exe from non-standard paths

Two-Factor Authentication (2FA):

• Enforce 2FA, especially for privileged and remote access accounts

Monitor Logs:

• Track process tree anomalies (e.g., browser spawning PowerShell)
• Monitor registry changes to Run keys and startup folders

Regular Updates:

• Maintain up-to-date OS, browser, and endpoint tools

Risk Assessment

Likelihood: Moderate–High – Broad exposure via trusted sites and TDS infrastructure
Impact: High – Remote control, data theft, and ransomware potential
Risk Rating: 🟠 Elevated (6.1/10)

Conclusion

KongTuke FileFix and the Interlock RAT exemplify modern stealth threats. They combine abused trusted interfaces, dynamic infrastructure, and multi-stage payloads to evade detection and gain persistent access. Organizations should move beyond traditional defenses and adopt behaviour-based EDR, advanced threat hunting, and user education to address these threats. Targeted sectors should elevate monitoring and response protocols, considering the operational and national implications of compromise.

Sources:

• The DFIR Report – KongTuke FileFix Leads to New Interlock RAT Variant
• BleepingComputer – Interlock ransomware adopts new FileFix attack to push malware
• Resecurity – How Interlock Ransomware Affects the Defense Industrial Base Supply Chain
• The Hacker News – New PHP-Based Interlock RAT Variant Uses FileFix Delivery Mechanism to Target Multiple Industries
• OTX AlienVault - Indicators Of Compromise