Ransomware groups have been steadily integrating social engineering techniques into their initial access playbooks — and Interlock, active since 2024, has been among the more aggressive adopters of those methods.
A threat actor connected to the Interlock ransomware operation spent more than a week inside a compromised server, exfiltrating data with the help of a newly identified backdoor called Slopoly — a PowerShell-based malware strain that researchers believe was generated using a large language model. IBM X-Force, which analyzed the campaign, says the evidence for AI-assisted development includes extensive in-code commentary, structured logging, explicit error handling, and clearly named variables — all characteristics that are rarely seen in human-written malware.
The researchers attributed the attack to a financially motivated group they track as Hive0163, described in their report as an operation whose “main objective is extortion through large-scale data exfiltration and ransomware.” The breach began with a ClickFix social engineering lure. Slopoly was deployed in a later stage, functioning as a client for the group’s command-and-control framework.
What Slopoly Actually Does
Despite being labeled a “Polymorphic C2 Persistence Client” in its own code comments, IBM X-Force found no feature allowing the script to modify itself during execution. The firm says the builder likely generates new clients with randomized configuration values and function names — standard practice, not genuine polymorphism.
The malware installs to C:\ProgramData\Microsoft\Windows\Runtime\ and maintains persistence through a scheduled task named “Runtime Broker.” Its core behavior includes collecting system information, sending a heartbeat beacon every 30 seconds to /api/commands, and polling for commands every 50 seconds, executing them via cmd.exe and returning output to the C2 server. It also maintains a rotating persistence.log file.
Supported commands allow the operator to download and execute EXE, DLL, or JavaScript payloads, run shell commands, adjust beaconing intervals, push updates, or terminate the process entirely.
More Read
The attack also deployed NodeSnake and InterlockRAT alongside Slopoly. The ransomware payload itself — a 64-bit Windows executable delivered through the JunkFiction loader — runs as a scheduled task under SYSTEM privileges. It uses the Windows Restart Manager API to release locked files before encryption, appending either .!NT3RLOCK or .int3R1Ock extensions to affected files.
Broader Connections
Interlock has previously claimed attacks against the Texas Tech University System, DaVita, Kettering Health, and the city of Saint Paul, Minnesota. IBM X-Force says Hive0163 may also have associations with developers behind Broomstick, SocksShell, PortStarter, SystemBC, and operators of the Rhysida ransomware.
The researchers note that while Slopoly itself is not technically advanced, its presence in an active ransomware chain signals that AI tools are being used to accelerate custom malware development in ways that can help operators avoid detection.
According to the report, IBM X-Force was unable to determine which large language model was used to generate the script.
Photo by Rob Wingate on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
