Slopoly
Slopoly is a PowerShell-based backdoor and command-and-control client used by the financially motivated threat actor Hive0163 in Interlock ransomware intrusions. IBM X-Force reported it was deployed during the post-exploitation phase after initial access had already been established, including in an early-2026 ransomware attack where it maintained persistent access to a compromised server for more than a week and supported data exfiltration.
The malware was observed being deployed after ClickFix social engineering led to execution of PowerShell and delivery of NodeSnake; later stages of the intrusion also involved InterlockRAT, AzCopy, Advanced IP Scanner, and ultimately Interlock ransomware. Hive0163 is associated with extortion, large-scale data theft, NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware, and has also been linked to malvertising and initial access brokers TA569/SocGholish and TAG-124/KongTuke/LandUpdate808.
Slopoly was reportedly dropped under C:\ProgramData\Microsoft\Windows\Runtime\ and established persistence via a scheduled task named "Runtime Broker." It collects system information, sends heartbeat beacons to its C2 infrastructure every 30 seconds, polls for commands every 50 seconds, executes commands through cmd.exe, and returns command output to the server. Reported capabilities also include downloading and executing EXE, DLL, or JavaScript payloads, changing beacon intervals, updating itself, and exiting. It maintained a rotating persistence.log file. One reported C2 domain was plurfestivalgalaxy[.]com, associated with 94.156.181[.]89; additional Hive0163-related C2 IPs reported in the content were 77.42.75[.]119, 23.227.203[.]123, and 172.86.68[.]64.
Researchers assessed Slopoly as likely developed with assistance from a large language model based on extensive comments, structured logging, error handling, clearly named variables, and an unused "Jitter" function. Although comments described it as a "Polymorphic C2 Persistence Client," IBM X-Force stated it is not truly polymorphic because it does not modify its own code at runtime; instead, a builder likely generates variants by changing configuration values such as beacon intervals, identifiers, mutex names, session IDs, C2 endpoints, and function names. The content characterizes Slopoly as not highly sophisticated, but as an example of AI-assisted malware development accelerating custom tooling for ransomware operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The Interlock ransomware gang has been exploiting a maximum severity remote code execution (RCE) vulnerability in Cisco's Secure Firewall Management Center (FMC) software in zero-day attacks since late January. Cisco patched the security flaw (CVE-2026-20131) on March 4, warning that it could allow unauthenticated attackers to remotely execute arbitrary Java code as root on unpatched devices.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Cybersecurity researchers have disclosed details of a suspected artificial intelligence (AI)-generated malware codenamed Slopoly put to use by a financially motivated threat actor named Hive0163. In one ransomware attack observed by the company in early 2026, the threat actor was observed deploying Slopoly during the post-exploitation phase so as to maintain persistent access to the compromised server for more than a week.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
5 techniquesThe malware collects system information, executes commands remotely, and establishes persistence through scheduled tasks.
Persistence is achieved by setting up a scheduled task called "Runtime Broker."
The malware collects system information, executes commands remotely, and establishes persistence through scheduled tasks.
The attack in itself is said to have leveraged the ClickFix social engineering tactic to trick the victim into running a PowerShell command, which then downloads NodeSnake.
The PowerShell script functions as a full-fledged backdoor that can beacon a heartbeat message containing system information to a C2 server every 30 seconds, poll for a new command every 50 seconds, execute it via "cmd.exe," and relay the results back to the server.
Persistence
2 techniquesPrivilege Escalation
2 techniquesDiscovery
1 techniqueThe PowerShell script functions as a full-fledged backdoor that can beacon a heartbeat message containing system information to a C2 server every 30 seconds.
Lateral Movement
2 techniquesThe attackers later deployed Slopoly and tools such as AzCopy and Advanced IP Scanner to expand access and move laterally within the network.
The attackers later deployed Slopoly and tools such as AzCopy and Advanced IP Scanner to expand access and move laterally within the network.
Command and Control
3 techniquesSlopoly was observed as a post‑exploitation backdoor introduced after initial access had already been established... to provide attackers with a quickly built, fit‑for‑purpose command‑and‑control client... From a technical standpoint, Slopoly is a relatively simple PowerShell‑based C2 client.
“Sending a heartbeat beacon every 30 seconds to /api/commands; Polling for commands every 50 seconds… Sending command output back to the C2 server”
A first-stage component, NodeSnake, is designed to run shell commands, establish persistence, and retrieve and launch a wider malware framework referred to as Interlock RAT.
Exfiltration
1 techniqueThis backdoor allowed attackers to maintain access to compromised servers for over a week, facilitating significant data exfiltration.
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A PowerShell-based command-and-control backdoor apparently generated with AI assistance and deployed post-compromise to maintain access during intrusions.
Referenced as malware reportedly used in an Interlock ransomware attack.
A new malware strain used by Interlock operators, reportedly likely created using generative AI tools.
Likely AI-generated malware used as a custom command-and-control persistence client. It was deployed on an already-infected server, installed under C:\ProgramData\Microsoft\Windows\Runtime\, persisted via a scheduled task named “Runtime Broker,” and used to maintain access during a ransomware intrusion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.