KongTuke FileFix Leads to New Interlock RAT Variant

SUMMARY :

A new and resilient variant of the Interlock ransomware group's remote access trojan (RAT) has been identified. This PHP-based malware, a shift from the previous JavaScript-based NodeSnake, is being used in a widespread campaign associated with the LandUpdate808 (KongTuke) web-inject threat clusters. The campaign begins with compromised websites injected with a hidden script, employing IP filtering to serve the payload. The malware performs automated reconnaissance, establishes command and control through Cloudflare Tunnels, and has various execution capabilities. It uses PowerShell for system profiling and discovery, creates persistence through registry modifications, and leverages RDP for lateral movement. The campaign appears to be opportunistic, targeting multiple industries.

OPENCTI LABELS :

reconnaissance,kongtuke,interlock rat,cloudflare tunnel,filefix,web-inject,nodesnake


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


KongTuke FileFix Leads to New Interlock RAT Variant