Full Report
A new malware strain dubbed Slopoly, likely created using generative AI tools, allowed a threat actor to remain on a compromised server for more than a week and steal data in an Interlock ransomware attack. [...]
Analysis Summary
# Tool/Technique: Slopoly
## Overview
Slopoly is a PowerShell-based backdoor and Command and Control (C2) client identified by IBM X-Force. It is notable for showing strong indicators of being developed using Generative AI (LLM) tools, characterized by unusually clean code, structured logging, and extensive commentary. It serves as a persistence mechanism and downloader used by the Hive0163 threat group during Interlock ransomware campaigns.
## Technical Details
- **Type:** Malware (Backdoor/C2 Client)
- **Platform:** Windows (PowerShell)
- **Capabilities:** System information gathering, remote command execution, payload delivery (EXE, DLL, JS), and persistence.
- **First Seen:** Reported March 2026 (Active in Interlock campaigns).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link (ClickFix/FileFix ruse)]
- **[TA0003 - Persistence]**
- [T1053.005 - Scheduled Task/Job: Scheduled Task]
- **[TA0005 - Defense Evasion]**
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [T1027 - Obfuscated Files or Information (AI-generated variability)]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols (HTTP/HTTPS)]
- [T1105 - Ingress Tool Transfer]
## Functionality
### Core Capabilities
- **Beaconing:** Sends heartbeats every 30 seconds to the C2 and polls for commands every 50 seconds.
- **Command Execution:** Receives and executes shell commands via `cmd.exe`, returning output to the attacker.
- **Payload Deployment:** Capable of downloading and executing additional PE files (EXE, DLL) or JavaScript payloads.
- **Information Gathering:** Collects basic system metadata upon infection.
### Advanced Features
- **AI-Enhanced Development:** Features structured error handling, detailed logging, and descriptive variable names that suggest LLM-assisted coding.
- **Self-Updating:** Supports commands to update its own script code.
- **Pseudo-Polymorphism:** While the code does not mutate at runtime, the builder generates unique versions with randomized configuration values (mutex names, session IDs) for each deployment.
## Indicators of Compromise
- **File Names:** `persistence.log` (generated by the script).
- **Scheduled Task Name:** "Runtime Broker" (created for persistence).
- **File Paths:** `C:\ProgramData\Microsoft\Windows\Runtime\`
- **Network Indicators:**
- `[C2_Server_Address]/api/commands` (C2 endpoint)
- **Behavioral Indicators:**
- PowerShell execution from `ProgramData` subdirectories.
- Frequent HTTP POST/GET requests to a specific API path from a non-browser process.
## Associated Threat Actors
- **Hive0163** (Mainly attributed; financially motivated, links to Broomstick, SocksShell, and Rhysida ransomware).
- **Interlock Ransomware Gang** (Users of the tool in recent campaigns).
## Detection Methods
- **Signature-based detection:** Monitoring for the specific script structure and the phrase "Polymorphic C2 Persistence Client" in PowerShell scripts.
- **Behavioral detection:** Flagging `schtasks.exe` or `powershell.exe` creating a task named "Runtime Broker" (masquerading as a legitimate Windows process).
- **Logging:** Monitoring PowerShell Script Block Logging (Event ID 4104) for commands involving the `/api/commands` URI.
## Mitigation Strategies
- **Script Execution Policy:** Enforce "AllSigned" or "Restricted" PowerShell execution policies via GPO.
- **Attack Surface Reduction (ASR):** Implement rules to block process creations from PowerShell scripts.
- **User Training:** Educate users on "ClickFix" social engineering ruses (fake browser/update prompts).
- **Monitor Scheduled Tasks:** Regularly audit scheduled tasks for common masquerading names like "Runtime Broker."
## Related Tools/Techniques
- **ClickFix/FileFix:** The initial access social engineering framework.
- **NodeSnake:** A specialized RAT used alongside Slopoly.
- **InterlockRAT:** Sophisticated backdoor used for post-exploitation.
- **JunkFiction:** The loader used to deliver the final ransomware payload.