eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
KongTuke FileFix Leads to New Interlock RAT Variant
Bottom Line: Threat actors are reported to use a new tactic dubbed FileFix to deploy Interlock ransomware. The tactic is a development to threat actor activity leveraging Kongtuke script to deploy the ransomware, suggesting an evolution in attack methods.
On July 14th, 2025, The DFIR Report, in partnership with Proofpoint, released a report detailing new tactics used to deploy Interlock ransomware. According to the report, since May 2025, threat actors associated with the Interlock ransomware group have been actively distributing a new PHP-based Remote Access Trojan (RAT) through a deceptive method dubbed “FileFix”, as part of the ongoing KongTuke campaign. This technique replaces the previously observed "ClickFix" with a more covert approach that leverages fake CAPTCHA prompts and social engineering to trick victims into copying and pasting malicious code directly into the Windows File Explorer address bar.
The attack begins when a user visits a compromised website hosting a malicious JavaScript injected by the threat actor. This script redirects the user to a landing page containing a fake CAPTCHA. Once the user clicks “Verify,” they are shown a prompt instructing them to copy and paste a string into the File Explorer address bar. The string is disguised to appear like a file path but is actually a Base64-encoded PowerShell command. Upon execution, the PowerShell script downloads and installs a standalone PHP executable (php.exe) and a configuration file, which together load the PHP-based Interlock RAT into memory.
Once installed, the RAT begins automated reconnaissance by collecting system information, running task enumeration, and querying network configuration using PowerShell. It captures details such as the hostname, username, privilege level, running services, and ARP table. The threat actor is capable of initiating hands-on-keyboard activity. This includes querying Active Directory, identifying domain controllers, enumerating user accounts, and probing backup software like Veeam. Remote commands are executed via the PHP interpreter, and persistence is established through registry keys under the current user’s Run path.
For Command-and-Control (C2), Interlock RAT uses subdomains hosted on trycloudflare[.]com, leveraging Cloudflare Tunnel to disguise outbound traffic and avoid detection. Additionally, the malware includes hardcoded fallback IP addresses to ensure continued communication in the event that domains are blocked. The campaign has been opportunistic, targeting multiple industries without specific focus.
eSentire Threat Intelligence Analysis:
Interlock RAT grants the attackers full control over the victim's host, allowing them to monitor, control, upload, and execute malicious files and commands. If left undetected, Interlock RAT can lead to advanced threats, including ransomware attacks, compromising sensitive data, and disrupting business operations. The observations of Interlock RAT activity since May 2025 and its deployment in a "widespread campaign" highlight that this is not an isolated incident but an active threat. This widespread campaign relies on victims falling for a social engineering attack, and does not include any specific targeting, as such, all organizations are at risk of this threat.
The eSentire Threat Intelligence team investigated several incidents where users visited a compromised website containing malicious JavaScript code associated with KongTuke. The KongTuke script displayed a FakeCAPTCHA page, which instructed users to copy and paste a PowerShell command for execution on their systems. The investigation revealed that the initial access vector utilized was Clickfix. The loader file deployed additional payloads in the form of PNG files and conducted similar types of post-exploitation activities mentioned in the report. Although the FileFix technique was not observed during the examination of the infection chain, it is important to note that the FileFix tactic used by threat actors highlights their refinement of initial access techniques. They are moving beyond ClickFix to more interactive and deceptive attack vectors.
According to ESET, ClickFix campaigns saw a dramatic 517% increase in volume from the second half of 2024 to early 2025, spreading infostealers, ransomware, and RATs. FileFix emerged in late June 2025, with proofs-of-concept shared on June 23. With ClickFix already surging, FileFix could quickly become the next big social-engineering threat unless users are vigilant and defensive controls are strengthened.
A report from Sekoia also indicates that the operators of Interlock ransomware are using fake updater applications hosted on compromised websites to trick victims into downloading and executing the malware themselves. As there is an ongoing campaign, organizations are strongly encouraged to conduct user awareness training for popular web-based malware delivery tactics, such as fake browser updates, ClickFix and the Filefix IAV. eSentire MDR for Network and Endpoint detects activity related to various information stealers. The eSentire Tactical Threat Response (TTR) team has developed detections for the FileFix IAV. The eSentire Threat Intelligence team is performing threat hunts based on related Indicators of Compromise (IoCs) and has included these IoCs in the eSentire Threat Intelligence Feed.
From a Teams Call to a Ransomware Threat: Matanbuchus 3.0 MaaS Levels Up
Bottom Line: A new version of Mantanbuchus malware is being sold via the Malware-as-a-Service model. Threat actors are deploying the malware via sophisticated Microsoft Teams social engineering attacks.
On July 16th, 2025, Morphisec Labs published a report detailing the use of Matanbuchus malware in recent campaigns, potentially employed by threat actors in a ransomware deployment attack chain. The report emphasizes the capabilities of a new variant, Matanbuchus 3.0, deployed through fraudulent Microsoft Teams calls.
In July 2025, Matanbuchus malware activity was observed involving the use of a Tech Support scam to facilitate its deployment. Threat actors contacted victims via fraudulent Microsoft Teams calls, impersonating IT Help Desk personnel. Through social engineering, victims were persuaded to activate Quick Assist, a legitimate Microsoft Windows feature, which allowed the attackers to gain remote access to their devices resulting in deployment of Matanbuchus.
During the interaction, the victims were lured into executing a script that downloaded a malicious archive containing a fake installer file (renamed Notepad++ updater), a modified configuration XML file, and a malicious side-loaded DLL (Matanbuchus loader). The fake installer file leverages DLL sideloading to load the Matanuchus DLL in memory.
Matanbuchus is a loader malware provided as Malware-as-a-Service (MaaS) since early 2021 by a threat actor named BelialDemon. Matanbuchus 3.0 demonstrates enhanced capabilities, including improved in-memory stealth operations, persistence mechanisms, and Command-and-Control (C2) communication. It also features support for WQL queries, CMD and PowerShell reverse shells, fingerprinting of Endpoint Detection and Response (EDR) solutions, and support for executing next-stage payloads in EXE, DLL, MSI, and shellcode formats. The malware is advertised for $10,000 per month, with a DNS-based variant available for $15,000 per month by the developers.
eSentire Threat Intelligence Analysis:
Morphisec Labs reported a significant surge in targeted campaigns leveraging Matanbuchus over the past nine months, with the most recent activity observed in July 2025 involving a new version of the malware. These campaigns are assessed to potentially lead to ransomware deployment, indicating the high severity and criticality of the attacks. The use of Matanbuchus 3.0 in these operations underscores the persistent and evolving nature of such sophisticated campaigns.
In early 2021, Matanbuchus was advertised for USD 2,500 per month, significantly lower than the current price for its latest variant. While no explicit justification has been provided for the price increase, it is likely intended to reflect the advanced capabilities of the new version and to attract more well-funded and sophisticated threat actors, such as ransomware groups. Morphisec Labs was able to intercept a sample of the new variant before its public advertisement, suggesting that the malware was initially distributed within a closed circle of threat actors.
The tech support scam technique leveraging Microsoft Teams is increasingly being favored by threat actors, as it offers a convenient method to gain access to victim devices without putting efforts to exploit a software or hardware vulnerability or harvest credentials via phishing. A similar technique has been observed in the attacks by Black Basta ransomware affiliates and Russia-linked ransomware threat actors. eSentire observed multiple instances of the Matanbuchus loader malware between May and June 2024, with the loader being delivered through malvertising campaigns. The recent shift toward using tech support scams as a delivery method reflects the increasing success rate and effectiveness of this social engineering technique among threat actors.
Organizations are advised to conduct comprehensive security awareness trainings that cover emerging attack techniques and equip employees to recognize and respond to such threats appropriately. To prevent tech support scams via Microsoft Teams, organizations should disable external users within Teams application. Organizations should implement robust Endpoint Detection and Response (EDR) solutions to detect and contain deployment of malicious payloads.
eSentire MDR Suite has detections in place to identify activities associated with Matanbuchus. eSentire published a security advisory detailing Matanbuchus incidents observed in 2024 on June 12th, 2024.
Salt Typhoon: Data Theft Likely Signals Expanded Targeting
Bottom Line: The Salt Typhoon APT group, linked to the People’s Republic of China (PRC), extensively compromised a U.S. state's Army National Guard network between March and December 2024, exfiltrating sensitive data and credentials. This breach impacts national security, as the stolen information could facilitate further attacks on government and critical infrastructure entities.
Salt Typhoon, a sophisticated Chinese state-sponsored Advanced Persistent Threat (APT) group, has been implicated in a prolonged cyberespionage campaign targeting U.S. critical infrastructure and government entities. According to a Department of Homeland Security (DHS) memo, that was released following a freedom of information request, Salt Typhoon extensively compromised a U.S. state’s Army National Guard network from March to December 2024. The report does not disclose which state was impacted. The breach, which lasted nearly a year, enabled the group to access sensitive military and law enforcement data, including network configuration information, data traffic associated with other U.S. states/territories, maps of locations throughout the state, Personally Identifiable Information (PII) of service people, and network credentials.
Technical details on how the breach occurred have not been provided at this time. According to the DHS, Salt Typhoon has previously been observed exploiting vulnerabilities in Palo Alto and Cisco devices. Confirmed targeted vulnerabilities include:
At the time of writing, it is believed that Salt Typhoon’s access has been removed but continued cyberattacks from the group are expected.
eSentire Threat Intelligence Analysis:
This activity is highly concerning due to the long attacker dwell time, theft of sensitive information, and the risk that stolen data may be used to enable follow-on attacks. The DHS specifically mentions that data stolen during this campaign could be used to carry out attacks against other U.S. government and civilian organizations, particularly those integrated with law enforcement fusion centers. Salt Typhoon is confirmed to have used stolen information in past campaigns, to enable additional attacks. Between January – March 2024, Salt Typhoon stole configuration files associated with the U.S. government and critical infrastructure; this data was used to carry out attacks against two government agencies, one of which was successfully breached.
The long-dwell time observed in this and previous Salt Typhoon operations, up to three years in some cases, suggests a focus on strategic intelligence collection rather than immediate disruption. However, the access gained could be weaponized in the future to degrade U.S. response capabilities, sow confusion, or facilitate influence operations.
The attacks on government infrastructure show wider targeting by Salt Typhoon. Previous activity attributed to the group heavily focused on telecommunication and Internet Service providers. Past targets of Salt Typhoon include AT&T, Verizon, T-Mobile, Lumen Technologies, and Charter Communications. These companies hold a trove of data that may be valuable for espionage purposes. It is almost certain that Salt Typhoon will continue to carry out attacks against public and private organizations in North America, to enable espionage and gain a strategic advantage in the event of escalating tensions.
To defend against Salt Typhoon, and other similar groups, organizations are encouraged to take proactive security measures, such as deploying Endpoint Detection and Response (EDR) across all supported assets, regularly scanning for vulnerabilities and ensuring patch management is conducted, and enforcing the use of Multi-Factor Authentication (MFA). Additionally, strengthening public and private information sharing relationships is important, as this enables the sharing of indicators and trade craft, allowing for threat hunting and quicker response actions.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
