In recent days, cybersecurity experts have discovered a highly dangerous new variant of Interlock RAT – a spyware that allows hackers to remote control a victim’s computer. Notably, this new variant is written in the PHP language and uses many sophisticated tricks to trick users and bypass traditional security systems.
ransomware.jpg

The Interlock RAT is a Remote Access Trojan developed by the Interlock hacker group, known for many previous attacks. It allows the bad guys to take complete control of the victims’ computers: tracking, stealing data, installing more malware, even paving the way for ransomware attacks.

The latest variant, discovered in July 2025, has moved from JavaScript to PHP – this makes malicious code harder to detect in Windows environments where P HP is rarely used as an application programming language.

The attack of the new Interlock RAT variant is sophisticated but attacks user’s careless habits. The first hackers would insert a piece of malicious code into compromised websites, especially WordPress sites using well-known plugins such as GravityForms. When a user visits the site, they are redirected to a fake CAPTCHA page – a common type of test to confirm non-robot users.

Here, the victim is asked to copy and paste a code into the “Run” dialog box on the Windows computer to “verify identity”. However, the code is actually a PowerShell command that will download and install the malicious code.

Once installed, Interlock RAT begins the process of collecting data: operating system information, users, running programs, services on the system, local network, etc. All information is sent back to the computer-controlled C2 server.

To mask this activity, RAT uses a tool called Cloudflare Tunnel – which allows connections beyond the Internet without being blocked by internal firewall systems. If this fails, it will automatically switch to a backup, pre-programmed IP address.

RAT also has the ability to maintain itself on the machine, executing additional code, and infiltrating other computers on the same network, paving the way for further attacks such as stealing accounts, sabotaging the system, or encrypting data to get ransom.

What makes the PHP variant of Interlock RAT particularly dangerous is:

  • Hard to spot: Because using PHP, which is a rare language in Windows, many traditional antivirus programs do not recognize suspicious signs.
  • Large – scale attacks: hackers do not target specific sites, but exploit a wide range of vulnerabilities to spread malicious code.
  • Tricky: Uses very similar fake CAPTCHAs, fooling even experienced users.
  • Effective Hiding: Cloudflare Tunnel technology helps malicious code communicate to the outside without being blocked.
Anyone who uses a computer can become a target. So let’s be absolutely:
  • Do not copy or paste any commands into PowerShell or the Run dialog if you don’t really know what they do, especially if they are requested by an unfamiliar website or window.
  • Initiate anti-FileFix/ClickFix training and command forgery.
  • Block Win+R, paste command strings automatically.
  • RDP limit, MFA enabled, minimal privilege.
  • Update the IOC, apply Cloudflare Tunnel detection rules related to trycloudflare.com and fallback IP.
For enterprises and system administrators:
  • Check for suspicious files in the AppDataRoaming folder, especially those named php.exe or.cfg.
  • Block access to trycloudflare.com if you aren’t using it.
  • Monitor internal network operations and remote logins via RDP.
  • Update WordPress plugins, especially GravityForms, to patch security vulnerabilities.
  • Follow the “zero trust” principle – do not trust any files or connections that have not been verified.
The Hacker News