Every "I'm Not a Robot" Checkbox Silently Brings Your Computer Closer to Being Hijacked
The sinister NodeSnake has learned to slither through PHP—and now it's even more dangerous.
In recent months, cybersecurity experts have observed a surge in activity from the
Interlock group, the creators of the
NodeSnake malware (also known as
Interlock RAT). According to a joint technical report by
The DFIR Report and
Proofpoint, since
May 2025, attackers have been using an updated infrastructure linked to the
LandUpdate808 cyberthreat (also known as
KongTuke). They are now distributing not only the known
Node.js-based variant of the Trojan but also a
new PHP implementation.
How the Attack Works
The infection starts with
compromised websites: a
single-line script is stealthily embedded into web pages, remaining invisible to both site owners and regular users. This script triggers a
Traffic Distribution System (TDS), filtering visitors by
IP addresses. Those who pass the filter are redirected to a
fake CAPTCHA verification page, where they are prompted to execute a
PowerShell command—the very command that initiates the infection, ultimately leading to the Trojan’s installation.
A key feature of this campaign is the use of
FileFix, a modified version of
ClickFix. It exploits a vulnerability that allows the
Windows Explorer address bar to execute commands. The
FileFix technique was first described as a
proof-of-concept in June 2025 by an independent researcher under the alias
mrd0x.
From Node.js to PHP: A More Versatile Threat
Originally,
Interlock RAT was built on
Node.js and was used in attacks against
municipal and educational institutions in the UK in early
2025. However, in
June and July, cases of the
PHP variant were detected. Researchers note that the infection often begins with the
PHP version, after which the classic
Node.js variant may be deployed. This approach allows attackers to target a
broader range of victims, as the
PHP implementation integrates more easily into web infrastructures.
Post-Infection: Data Theft & Persistence
Once installed, the malware
immediately collects system information and sends it in
JSON format to a remote server. It checks the
privilege level (user, admin, or system process) and downloads additional
EXE or DLL modules accordingly. To maintain persistence, the Trojan
modifies Windows Registry settings and
enables Remote Desktop (RDP), allowing attackers to move laterally within corporate networks.
Evading Detection: Cloudflare Tunnels & Hardcoded IPs
The malware uses
Cloudflare Tunnel subdomains to mask its traffic, making
command-and-control (C2) servers harder to track and block. If the tunnel connection fails, the malware falls back to
hardcoded IP addresses, ensuring backup connectivity and resilience for the attackers’ infrastructure.
A Growing, Adaptable Threat
The discovery of the
PHP version highlights
Interlock’s evolving toolkit and
high adaptability. By leveraging familiar programming languages and system functions, the threat becomes
more universal and harder to detect.
