The Reveal Platform
Intel Name: Kongtuke filefix leads to new interlock rat variant
Date of Scan: July 14, 2025
Impact: High
Summary: We’ve discovered a new, resilient variant of the Interlock ransomware group’s remote access trojan (RAT), now rewritten in PHP rather than JavaScript (previously known as NodeSnake). This version has been actively used in a widespread campaign linked to the LandUpdate808 (aka KongTuke) threat clusters since May 2025. The attack begins with compromised websites containing hidden one-line scripts that load filtered JavaScript targeting specific IPs. Victims are prompted with a fake captcha and “verification steps” that lead to executing a PowerShell script, ultimately deploying Interlock RAT.
