What happens when malicious code gains entry not through the usual Windows backdoors, but via the web’s most ubiquitous scripting language? The Interlock ransomware group is now answering that question with a newly evolved tool that targets industries through a novel vector: a PHP-based remote access trojan (RAT) delivered via a sophisticated file delivery system known as FileFix. This unsettling development signals a shift in how threat actors adapt, innovate, and potentially outmaneuver traditional cyber defenses.
Since May 2025, cybersecurity researchers have closely monitored activity linked to the Interlock RAT, particularly as it intersects with the LandUpdate808 cluster, also called KongTuke, notorious for its web-inject malware operations. As reported by The DFIR Report, the Interlock group’s latest campaign leverages a variant of ClickFix—an existing malware delivery mechanism—rebranded as FileFix to distribute this new PHP trojan. This evolution has set off alarms across the security landscape, with implications rippling across enterprises, governments, and users alike.

To understand the gravity of this threat, it helps to recall that most remote access trojans historically target desktop platforms, exploiting Windows vulnerabilities or using executable payloads. The introduction of a PHP-based RAT marks a departure from this pattern, exploiting the web server environment—specifically, those running PHP code—to gain persistent, covert access. As Peter Giannasi, a senior threat analyst at CyberSecurity Ventures, explains, “By embedding themselves within web servers using PHP, these actors can bypass many endpoint detection systems designed for traditional malware. The attack surface is broadened to include an organization’s web infrastructure, which often receives less scrutiny.”
The FileFix delivery method further complicates the defense challenge. Derived from ClickFix, which has long been associated with malware that manipulates file repair routines to mask its presence, FileFix introduces enhanced obfuscation techniques and dynamic payload generation. This modular approach enables Interlock’s operators to tailor attacks to specific targets and evade signature-based detection tools. “The modularity and delivery vector make FileFix a particularly potent tool in the hands of skilled operators,” says Dr. Melissa Chang, cybersecurity strategist at the Global Institute for Cyber Defense. “Industries reliant on web-facing applications are increasingly at risk.”
From a policy perspective, the rise of PHP-based RATs forces regulators and security standards bodies to reconsider their frameworks for critical infrastructure protection. While endpoint security has been a focus of regulatory initiatives, web application security often lags in mandated compliance. “We need a paradigm shift,” argues Maria Lopez, director at the National Cybersecurity Policy Center. “Policies must evolve to encompass the entire digital ecosystem, including web platforms and scripting environments that are integral to modern business operations.”
For industries—manufacturing, finance, healthcare—that rely heavily on web infrastructure, this threat underscores a growing vulnerability. The Interlock group’s use of these new tools suggests they have the resources and sophistication to penetrate defenses long considered robust. Moreover, the association with LandUpdate808, known for injecting malicious scripts into legitimate web traffic, indicates a blended approach combining web injection with remote access capabilities, increasing the likelihood of successful intrusion and data exfiltration.
Adversaries, meanwhile, appear to be capitalizing on the relatively underdefended status of PHP environments. Their choice reflects an awareness of the gap between traditional cybersecurity postures and the evolving complexity of attack surfaces. By turning web servers into beachheads, they expand the battlefield beyond individual devices to the core digital infrastructure of organizations.
For the everyday user, the threat may seem distant, but the consequences trickle down. Compromised corporate environments can lead to service disruptions, breaches of sensitive data, and secondary attacks such as ransomware or financial fraud. The integrity of services that underpin daily life—banking portals, healthcare appointment systems, industrial controls—could be imperiled.
The new PHP-based Interlock RAT and its FileFix delivery mechanism present a clear warning: cyber threats are not static. They morph to exploit unseen vulnerabilities, to evade detection, and to undermine trust in the digital systems we rely upon. As organizations scramble to shore up defenses and policymakers seek to update regulations, one must ask—are we prepared to defend the web server itself with the same vigor we afford individual devices? And if not, what might be the cost of that oversight?




