KongTuke FileFix Leads to New Interlock RAT Variant

Description

A new and resilient variant of the Interlock ransomware group's remote access trojan (RAT) has been identified. This PHP-based malware, a shift from the previous JavaScript-based NodeSnake, is being used in a widespread campaign associated with the LandUpdate808 (KongTuke) web-inject threat clusters. The campaign begins with compromised websites injected with a hidden script, employing IP filtering to serve the payload. The malware performs automated reconnaissance, establishes command and control through Cloudflare Tunnels, and has various execution capabilities. It uses PowerShell for system profiling and discovery, creates persistence through registry modifications, and leverages RDP for lateral movement. The campaign appears to be opportunistic, targeting multiple industries.