Interlock RAT Evolves in New KongTuke Web-Inject Attacks Targeting U.S. Industries

 

A recently enhanced version of the Interlock remote access Trojan (RAT) is being deployed in an ongoing web-inject campaign linked to the ransomware group behind it. Known for its double-extortion tactics, Interlock has now shifted its technical approach with a more covert RAT variant written in PHP. According to a new report by The DFIR Report, this marks a significant advancement in the group’s capabilities and strategy.  

Interlock first emerged in late 2024, attacking high-profile targets such as Texas Tech University’s Health Sciences Centers. Earlier this year, cybersecurity firm Quorum Cyber detailed two versions of the group’s malware, named NodeSnake, focused on maintaining persistence and exfiltrating data. The newest version introduces additional stealth features, most notably a transition from JavaScript to PHP, allowing the malware to blend more easily with normal web traffic and avoid detection. 

This enhanced RAT is tied to a broader web-inject threat campaign dubbed “KongTuke,” where victims are tricked into running malicious scripts after visiting compromised websites. Visitors encounter what appears to be a legitimate CAPTCHA but are actually prompted to paste dangerous PowerShell commands into their systems. This action initiates the Interlock RAT, giving attackers access to the machine. 

Once activated, the malware gathers extensive data on the infected system. Using PowerShell, it collects system information, running processes, mounted drives, network connections, and checks its own privilege level. This enables attackers to evaluate the environment quickly and plan further intrusion tactics. It then connects back to command-and-control infrastructure, leveraging services like Cloudflare Tunneling for stealthy communication. Remote desktop protocol (RDP) is used for lateral movement and persistent access. 

Researchers say the targeting in this campaign appears opportunistic, not industry-specific. Victims across various sectors in the U.S. have been identified, with the attackers casting a wide net and focusing efforts where systems and data seem valuable or more vulnerable.  

Defensive recommendations from experts include improving phishing awareness, restricting the use of the Windows Run dialog box, enforcing least privilege access, and requiring multifactor authentication. Blocking unnecessary use of RDP is also essential. 

The growing sophistication of the Interlock RAT and its integration into mass web-inject campaigns reflects an evolving cyber threat landscape where stealth, automation, and social engineering play a central role.