Illegal Software Distribution: Interlock RAT Spread Through Innovative FileFix Delivery Method

In the ever-evolving cybersecurity landscape, two recent threats have been causing concern among security professionals: ClickFix and its variant, FileFix. These social engineering techniques, often used to deliver malware, have been targeting Windows and, to a lesser extent, Linux users.

Arctic Wolf, a leading cybersecurity company, offers modules within its Managed Security Awareness (MA) product to help users recognize and respond to the types of threats associated with ClickFix and FileFix. Similarly, KnowBe4 provides similar resources within its Managed Security Awareness product.

FileFix, much like its predecessor ClickFix, employs a tactic reminiscent of the previously documented ClickFix technique, using fake CAPTCHA pages. The DFIR Report published a technical analysis of FileFix being delivered via this social engineering technique, dubbed "FileFix."

The social engineering process in FileFix involves instructing victims to click a button, open File Explorer, paste a malicious command, and hit enter to execute the malware. Observed commands typically involve encoded PowerShell scripts that download and execute malware, such as the Interlock Remote Access Trojan (RAT). Arctic Wolf has observed ClickFix intrusions leading to Interlock ransomware as recently as April 2025.

To combat these threats, several measures can be taken. Disabling the Run Dialog and CMD Execution in Windows using Group Policy or the Registry can help prevent commands from being executed through various applications. Microsoft provides a Group Policy setting to restrict executed PowerShell code to scripts that are signed by a trusted provider. Allowing only signed scripts can be configured through this setting.

Moreover, blocking commonly abused domains like trycloudflare.com can help prevent potential threats. Through App Control for Business (formerly known as Windows Defender Application Control) and AppLocker policies, execution of unapproved scripts can be limited. PowerShell scripts that aren't allowed by App Control policies are still run, but only in Constrained Language Mode, a PowerShell execution environment with potentially dangerous features disabled.

However, these technical measures are only part of the solution. User awareness training should be delivered regularly to reinforce the risks of copying and pasting commands from untrusted sources, particularly from unsolicited browser prompts that mimic system errors or CAPTCHA challenges.

It's important to note that some of these settings may have operational impact depending on day-to-day needs of users, so these commands should be tested in isolation before being deployed broadly.

While Arctic Wolf hasn't directly encountered FileFix, the DFIR report's findings closely mirror their observations. Since February 2025, Arctic Wolf has observed Interlock RAT being deployed via social engineering techniques similar to FileFix.

Stay vigilant, stay secure.