In this episode, we break down how Interlock, a fast-moving ransomware group launched in late 2024, has evolved from using web injectors and clipboard tricks (like ClickFix) to an even more covert social engineering technique that abuses Windows File Explorer’s address bar to execute malicious code without triggering security prompts or downloads.
Key topics include:
- How FileFix works: The attacker tricks users into pasting a disguised PowerShell command into File Explorer, using a technique that removes the “Mark of the Web” (MOTW) and bypasses antivirus warnings.
- What makes it dangerous: Unlike traditional phishing, FileFix doesn’t rely on file execution or macros—just one paste and one Enter keystroke.
- The malware: The payload is a PHP-based Remote Access Trojan (RAT) that establishes persistence, gathers system information, and enables lateral movement and data exfiltration.
- The bigger picture: With FileFix confirmed in the wild and being actively adopted by Interlock, this attack method is poised to become a popular new vector for a variety of threat actors.
We also cover how FileFix fits into a wider ransomware evolution:
- The shift to double extortion and Ransomware-as-a-Service (RaaS)
- The increasing use of EDR killers and lateral movement tools
- The importance of breakout time and why 1-10-60 detection rules matter more than ever
Finally, we close with a call to action:
FileFix shows that endpoint compromise doesn’t always start with a download. Organizations must reassess how they handle clipboard input, browser content, and even basic UI trust. Email training is no longer enough—file paths can now be weapons.
