KongTuke FileFix Leads to New Interlock RAT Variant

    Monday, July 14, 2025 In: Threat Research Print

    Date: 07/14/2025

    Severity: High

    Summary

    We’ve discovered a new, resilient variant of the Interlock ransomware group’s remote access trojan (RAT), now rewritten in PHP rather than JavaScript (previously known as NodeSnake). This version has been actively used in a widespread campaign linked to the LandUpdate808 (aka KongTuke) threat clusters since May 2025. The attack begins with compromised websites containing hidden one-line scripts that load filtered JavaScript targeting specific IPs. Victims are prompted with a fake captcha and “verification steps” that lead to executing a PowerShell script, ultimately deploying Interlock RAT.

    Indicators of Compromise (IOC) List 

    Domains\URLs: 

    existed-bunch-balance-councils.trycloudflare.com

    ferrari-rolling-facilities-lounge.trycloudflare.com

    galleries-physicians-psp-wv.trycloudflare.com

    evidence-deleted-procedure-bringing.trycloudflare.com

    nowhere-locked-manor-hs.trycloudflare.com

    ranked-accordingly-ab-hired.trycloudflare.com

    IP Address : 

    64.95.12.71

    184.95.51.165

    Hash : 

    28a9982cf2b4fc53a1545b6ed0d0c1788ca9369a847750f5652ffa0ca7f7b7d3

    8afd6c0636c5d70ac0622396268786190a428635e9cf28ab23add939377727b0

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    domainname like "existed-bunch-balance-councils.trycloudflare.com" or url like "existed-bunch-balance-councils.trycloudflare.com" or siteurl like "existed-bunch-balance-councils.trycloudflare.com" or domainname like "ferrari-rolling-facilities-lounge.trycloudflare.com" or url like "ferrari-rolling-facilities-lounge.trycloudflare.com" or siteurl like "ferrari-rolling-facilities-lounge.trycloudflare.com" or domainname like "galleries-physicians-psp-wv.trycloudflare.com" or url like "galleries-physicians-psp-wv.trycloudflare.com" or siteurl like "galleries-physicians-psp-wv.trycloudflare.com" or domainname like "evidence-deleted-procedure-bringing.trycloudflare.com" or url like "evidence-deleted-procedure-bringing.trycloudflare.com" or siteurl like "evidence-deleted-procedure-bringing.trycloudflare.com" or domainname like "nowhere-locked-manor-hs.trycloudflare.com" or url like "nowhere-locked-manor-hs.trycloudflare.com" or siteurl like "nowhere-locked-manor-hs.trycloudflare.com" or domainname like "ranked-accordingly-ab-hired.trycloudflare.com" or url like "ranked-accordingly-ab-hired.trycloudflare.com" or siteurl like "ranked-accordingly-ab-hired.trycloudflare.com" 

    IP Address :

    dstipaddress IN ("64.95.12.71","184.95.51.165") or srcipaddress IN ("64.95.12.71","184.95.51.165")

    Hash : 

    sha256hash IN ("28a9982cf2b4fc53a1545b6ed0d0c1788ca9369a847750f5652ffa0ca7f7b7d3","8afd6c0636c5d70ac0622396268786190a428635e9cf28ab23add939377727b0")

    Reference:    

    https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interlock-rat-variant/ 


    Tags

    MalwareRansomwareRATKONGTUKEFileFixInterlockLandUpdate808aka KongTuke

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.