The ransomware hacking group Interlock is distributing a Remote Access Trojan (RAT) through compromised websites. The hackers use FileFix attacks to deliver the malware.
ClickFix Attacks are built on social engineering. Recently, various variations of these attacks have become common. Typically, victims are lured to fraudulent websites and are tricked into copying and executing malicious PowerShell commands. In other words, they are made to infect their own system with malware manually.
Attackers explain the need to execute certain commands as a solution to problems with displaying content in the browser or demand that the user solve a fake CAPTCHA.
Although ClickFix attacks most often target Windows users, convincing them to execute PowerShell commands, cybersecurity specialists have already warned of campaigns targeting macOS and Linux users as well.
According to ESET, the use of ClickFix as an initial access vector has increased by 517% from the second half of 2024 to the first half of 2025.
The FileFix technique, recently described by cybersecurity expert mr.d0x, is a variant of the ClickFix attack. However, instead of using the command line, it utilizes the more user-friendly Windows File Explorer interface.
On the malicious page, the user is informed that they have been granted shared access to a certain file. To find this file, it is supposedly necessary to copy the path and paste it into “File Explorer”.
“A phishing page may contain an ‘Open Explorer’ button, which, when clicked, will launch File Explorer (using file download functionality) and copy a PowerShell command to the clipboard,” explained mr.d0x.
This means that after inserting the file path and pressing Enter, the malicious PowerShell command will be executed.
As early as May 2025, experts from The DFIR Report and Proofpoint warned that Interlock RAT was being distributed via KongTuke (or LandUpdate808)—a sophisticated traffic distribution system (TDS). This results in malware infection through a multi-step process that includes the use of ClickFix and fake CAPTCHA challenges.
According to new information, hackers switched to using FileFix in early June and began distributing a PHP variant of the Interlock RAT. Experts from The DFIR Report indicate that in some cases, a Node.js variant of the malware is also being spread.
This is the first publicly documented instance of the FileFix technique being used in real-world attacks.
After execution, the RAT collects system information using PowerShell commands to gather and transmit data to its operators. The malware also checks what privileges the logged-in user holds.
The RAT establishes itself in the system and awaits further commands for execution. The specialists’ report notes that attackers are clearly operating the malware manually, checking backups, navigating through local directories, and inspecting domain controllers. Researchers point out that in some cases, the attackers used RDP for lateral movement within compromised environments.
As a command server, the malware exploits trycloudflare.com, abusing the legitimate Cloudflare Tunnel service to conceal its activity.
The DFIR Rep believes that this campaign is opportunistic in nature.
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →