Since at least February 2025, Arctic Wolf has observed Interlock Remote Access Trojan (RAT) being deployed via social engineering techniques. Recently, The DFIR Report published a technical analysis of the Interlock RAT being delivered via a social engineering technique dubbed “FileFix.” The name FileFix is derived from its similarity to the previously documented ClickFix technique using fake CAPTCHA pages. While Arctic Wolf hasn’t directly encountered FileFix, The DFIR report’s findings closely mirror our observations. Arctic Wolf observed ClickFix intrusions leading to Interlock ransomware as recently as April 2025, with indications in the threat landscape of ongoing social engineering activity since then.
With the ClickFix technique, users are instructed to paste a command into a Run Dialog that downloads and executes malware. FileFix takes a similar approach, but instead instructs users to use the file open dialog instead. While this method has primarily targeted Windows users, previous reports have also indicated Linux variants of ClickFix-style methods being used in the wild.
Much like its predecessor, the FileFix social engineering pretext has shown to be highly effective against unsuspecting users. ClickFix relies on the Windows + R run dialog shortcut that can be disabled through a registry key, which also prevents execution of commands through the File Explorer address bar that has been used in FileFix threat activity.
Users should be trained to recognize the characteristics of these social engineering techniques to help prevent potential compromises. Legitimate websites do not typically request that users run commands on their local workstations—especially for CAPTCHA verification.
Campaign Details
The social engineering process in FileFix consists of the following steps:
1. Victims are instructed click a button to “Start Verification”, which opens Windows File Explorer.
2. The site then instructs the user to press Ctrl + L (selects the address bar in File Explorer)
3. Users are told to press Ctrl + V, pasting a malicious command that was automatically copied to their clipboard when they first navigated to the fake CAPTCHA site.
4. The user is then instructed to hit enter, executing the malicious script or command on their device.
Observed commands typically involve encoded PowerShell scripts that download and execute malware.
Arctic Wolf is a customer of its own products/services and we will follow the same recommendations outlined for our customers in this Security Bulletin.
Recommendations
Block Commonly Abused Domains
Domains like trycloudflare.com are often abused by threat actors to host malicious PowerShell scripts and conduct phishing attacks. If your organization does not rely on trycloudflare.com for critical operations, consider blocking it at the firewall level.
Disable the Run Dialog and CMD Execution in Windows using GPO or the Registry
Microsoft provides the ability to disable execution of commands through the Start menu run dialog via Group Policy or the registry. This also applies to commands executed in Internet Explorer, Windows Explorer, and the Task Manager.
There is also a Group Policy setting available to disable user execution of cmd.exe, which has been abused by threat actors in ClickFix/FileFix threat activity.
For more details, see the following Microsoft documentation pages:
- Disabling Run Dialog: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-startmenu#norun
- Disable User Execution of cmd.exe: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools
Note: These settings may have operational impact depending on day-to-day needs of users, so these commands should be tested in isolation before being deployed broadly.
Restrict Execution of Unsigned PowerShell Scripts in Windows
Microsoft provides a Group Policy setting to restrict executed PowerShell code to scripts that are signed by a trusted provider.
For more details, see the following Microsoft documentation page:
- Allow only signed scripts: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy#enablescripts
Note: This setting may have operational impact depending on day-to-day needs of users, so these commands should be tested in isolation before being deployed broadly.
Configure App Control for Business or AppLocker Policies to Limit Execution of Unapproved Scripts
Through App Control for Business (formerly known as Windows Defender Application Control) and AppLocker policies, execution of unapproved scripts can be limited.
App Control for Business provides Constrained Language Mode, a PowerShell execution environment with potentially dangerous features disabled. PowerShell scripts that aren’t allowed by App Control policies are still run, but only in Constrained Language Mode.
The configuration of these features should be tailored to the specific needs and risk profile of each environment, and detailed implementation steps are beyond the scope of this security bulletin.
User Awareness Training
Organizations should deliver regular, targeted user training to reinforce the risks of copying and pasting commands from untrusted sources—particularly from unsolicited browser prompts that mimic system errors or CAPTCHA challenges.
Arctic Wolf offers modules within the Managed Security Awareness (MA) product to help users recognize and respond to the types of threats outlined in this bulletin.
References
Technical Article: https://mrd0x.com/filefix-clickfix-alternative/
DFIR Article: https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interlock-rat-variant/
Registry Key Disable Example: https://x.com/ajpc500/status/1941443569199481134
