A Dangerous Upgrade in Hacking Tools

A dangerous hacking group called the Interlock ransomware gang has changed the way it attacks people online. They have now started using a new tool that is even more powerful than before. Earlier, they used something called a Remote Access Trojan (or RAT) built with JavaScript and Node.js. But now, they are using a version built in PHP, a programming language used for websites. This change means the virus can now target more computers and work in newer, smarter ways.

This new version was first spotted in June 2025, and it is linked to a criminal group called KongTuke, also known as LandUpdate808. These groups have been very active in recent months. They are using this PHP-based RAT to take control of people’s systems quietly.

The malware is very smart. Once it is inside a computer, it starts checking everything about the machine. It gathers details about the user, the programs running, and the network the computer is connected to. This information is packed neatly in a format called JSON and then sent back to the hackers. After this, the malware can download and run more dangerous files. These files can cause even more problems.

The RAT can also allow hackers to move around the system by hand. This means real people are exploring the system, not just software. They look at important files, accounts, and even servers inside companies. It’s like a thief walking freely inside your house and opening every cupboard.

The FileFix Malware Trick: How They Fool You

To spread this malware, Interlock has started using a sneaky new trick called FileFix. This is a newer version of an older trick they used, known as ClickFix.

Hackers first break into real websites without the site owner knowing. Then, they add hidden code to the site. When someone visits the infected website, they see a fake CAPTCHA. This is the kind of test you see online that asks, “Are you human?” But this one is fake.

The victim is told to copy a command and run it on their computer to pass the test. This command is actually very dangerous. It runs a PowerShell script, a tool used in Windows to control the system. Once the script runs, it secretly installs the PHP-based RAT, giving the hackers full control over the system.

This trick is dangerous because it looks very normal. Many people would think the CAPTCHA is real and do what it says. But doing this gives hackers a way into the computer.

Hard to Catch and Tough to Stop

One of the worst parts about this new malware is how hard it is to catch. The RAT is built to hide very well and keep working, even when people try to stop it.

The malware connects to the hackers using something called a Cloudflare Tunnel. This service hides the real location of the server the malware talks to. It uses a website called trycloudflare.com, which looks safe and normal. Because of this, security tools often miss it.

New EU Law Unleashes Consumer Power—Mass Lawsuits Aim to Cripple Facebook, TikTok & Microsoft

But even if this tunnel stops working, the malware is ready. It has backup IP addresses built in. This means it can still talk to the hackers even if the main path is blocked.

The RAT can also run many commands sent by the attackers. It can make changes to your computer so it stays installed even after you restart. It can also shut itself down when needed, making it harder to detect or study.

This shows how powerful and smart the new Interlock malware is. It does not only sneak into systems—it knows how to stay, hide, and do damage without getting noticed.