CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Hive0163 Deploys AI-Assisted Slopoly Malware for Persistent Access

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Hive0163, a financially motivated threat actor, has been observed using a new AI-assisted malware called Slopoly to maintain persistent access in ransomware attacks. The malware, discovered in early 2026, is part of a command-and-control (C2) framework and was deployed during the post-exploitation phase of an attack. Slopoly is believed to have been developed with the help of a large language model (LLM), although it lacks advanced polymorphic capabilities. The malware functions as a backdoor, beaconing system information to a C2 server and executing commands. Hive0163 is also known for using other malicious tools like NodeSnake, Interlock RAT, and JunkFiction loader in their operations. The attack leveraged the ClickFix social engineering tactic to trick victims into running a PowerShell command. Hive0163 uses initial access brokers like TA569 and TAG-124 for establishing a foothold. The Interlock ransomware payload is a 64-bit Windows executable delivered via the JunkFiction loader, and Hive0163 may have associations with the developers behind Broomstick, SocksShell, PortStarter, SystemBC, and the Rhysida ransomware operators.

Timeline

  1. 12.03.2026 19:02 2 articles · 3h ago

    Hive0163 Deploys AI-Assisted Slopoly Malware for Persistent Access

    In early 2026, Hive0163 was observed deploying Slopoly malware during the post-exploitation phase of an Interlock ransomware attack to maintain persistent access for more than a week. The malware, believed to be AI-generated, functions as a backdoor, beaconing system information to a C2 server and executing commands. Slopoly is rather unsophisticated and does not possess any advanced techniques, despite claims of being polymorphic. The malware is deployed as a PowerShell script acting as a client for the command-and-control (C2) framework. Hive0163 is known for using various malicious tools and initial access brokers in their operations, including NodeSnake, Interlock RAT, and JunkFiction loader. The attack leveraged the ClickFix social engineering tactic to trick victims into running a PowerShell command.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Trojanized Gaming Tools Distribute Java-Based RAT via Browser and Chat Platforms

Threat actors are distributing a Java-based remote access trojan (RAT) through trojanized gaming utilities spread via browsers and chat platforms. The malware uses PowerShell and living-off-the-land binaries (LOLBins) for stealthy execution and evades detection by deleting the initial downloader and configuring Microsoft Defender exclusions. The RAT connects to a command-and-control (C2) server for data exfiltration and additional payload deployment. The disclosure coincides with the emergence of Steaelite, a new Windows RAT malware family advertised on criminal forums, which combines data theft and ransomware capabilities in a single web panel. Additionally, two new RAT families, DesckVB RAT and KazakRAT, have been discovered, enabling comprehensive remote control over infected hosts.

Open in new tab

ErrTraffic Service Enables Automated ClickFix Attacks via Fake Browser Glitches

A new cybercrime tool called ErrTraffic automates ClickFix attacks by generating fake browser glitches on compromised websites to trick users into downloading malware or following malicious instructions. The service promises high conversion rates and delivers architecture-specific payloads. ClickFix attacks have gained popularity among cybercriminals and state-sponsored actors for bypassing security controls. ErrTraffic is sold for a one-time purchase of $800 and offers a user-friendly panel for campaign management. It modifies the DOM of compromised websites to display visual glitches, prompting victims to execute malicious commands. Payloads include Lumma and Vidar info-stealers on Windows, Cerberus trojan on Android, AMOS stealer on macOS, and unspecified Linux backdoors.

Open in new tab

Increased Use of ClickFix Attacks by Threat Actors

ClickFix attacks, where users are tricked into running malicious commands by copying code from a webpage, have become a significant source of security breaches. These attacks are used by various threat actors, including the Interlock ransomware group and state-sponsored APTs. Recent data breaches at Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been linked to ClickFix-style tactics. A new variant of ClickFix attacks has emerged, targeting cryptocurrency users by abusing Pastebin comments to distribute malicious JavaScript. This attack tricks users into executing code that hijacks Bitcoin swap transactions, redirecting funds to attacker-controlled wallets. The campaign relies on social engineering that promises large profits from a supposed Swapzone.io arbitrage exploit, but instead runs malicious code that modifies the swap process directly within the victim's browser. The attacks exploit user behavior and technical gaps in detection to evade security measures and are delivered through SEO poisoning, malvertising, and other non-email vectors, making them harder to detect and prevent. Effective defense against ClickFix attacks requires browser-based detection and blocking to intercept these threats at the earliest opportunity.

Open in new tab

COLDRIVER APT Group Uses ClickFix Tactics to Deliver BAITSWITCH and SIMPLEFIX Malware

The COLDRIVER APT group, also known as Star Blizzard, has intensified its operations since May 2025, rapidly developing and refining its malware arsenal. The group has launched a new campaign using ClickFix tactics to deliver three new malware families: NOROBOT, YESROBOT, and MAYBEROBOT. These malware families are connected via a delivery chain and target individuals and organizations connected to Russia, including NGOs, human rights defenders, and think tanks. The attack chain involves tricking victims into running a malicious DLL via a fake CAPTCHA check, leading to the deployment of the SIMPLEFIX backdoor. The malware exfiltrates specific file types and establishes communication with a command-and-control server. The campaign aligns with COLDRIVER's known victimology, focusing on civil society members connected to Russia. The group has been active since 2019, using spear-phishing and custom tools like SPICA and LOSTKEYS. The latest campaign demonstrates the group's continued use of effective infection vectors, despite their lack of technical sophistication. The malware families NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz under the names BAITSWITCH and SIMPLEFIX, respectively. The COLDRIVER group has been deploying the new malware set more aggressively than any previous campaigns. The new malware set replaces the previous primary malware LOSTKEYS, which has not been observed since its public disclosure in May 2025. The attack starts with a 'ClickFix-style' phishing lure, a fake CAPTCHA page designed to trick the victim into thinking they must verify they’re 'not a robot'. The malware uses a split-key cryptography scheme, with parts of the decryption key hidden in downloaded files and the Windows Registry. The malware fetches a self-extracting Python 3.8 installer, two encrypted Python scripts, and a scheduled task to ensure persistence. The Python scripts are combined to decrypt and launch a minimal Python-based first-stage backdoor that communicates with a hardcoded command-and-control (C2) server. The COLDRIVER group abandoned YESROBOT after just two weeks due to its cumbersome and easily detectable nature. The COLDRIVER group switched to MAYBEROBOT, a more flexible PowerShell-based backdoor, around June 2025. MAYBEROBOT uses a custom C2 protocol with commands to download and execute files, run commands via cmd.exe, and execute PowerShell blocks. The COLDRIVER group has been constantly evolving the NOROBOT malware to evade detection systems. The group has been using the NOROBOT and MAYBEROBOT malware families on targets previously compromised through phishing to acquire additional intelligence value from information on their devices directly. The PhantomCaptcha campaign targeted Ukrainian regional government administration and organizations critical for the war relief effort, including the International Committee of the Red Cross, UNICEF, and various NGOs. The campaign began on October 8, 2025, and used a malicious "I am not a robot" CAPTCHA challenge to execute a PowerShell command, installing malware on victims' systems. The malware operated in three stages: a downloader script, a reconnaissance module, and a WebSocket-based RAT. The campaign's infrastructure was active for just one day, with backend servers remaining online to manage infected devices. The PhantomCaptcha campaign is linked to a wider operation involving malicious Android apps disguised as adult entertainment or cloud storage services. The latest incidents were reported in May and June 2025 by two organizations, including Reporters Without Borders (RSF). The group is known for impersonating trusted contacts and prompting targets to request missing or malfunctioning attachments. In one case involving RSF in March 2025, a ProtonMail address mimicking a legitimate contact sent a French-language email asking a core member to review a document. No file was attached. When the member requested it, the operators replied in English with a link routed through a compromised website to a ProtonDrive URL. However, the file itself could not be retrieved because ProtonMail had blocked the associated account. A second victim received a file labeled as a PDF that was actually a ZIP archive disguised with a .pdf extension. The final stage of the attack used a typical Calisto decoy PDF that claimed to be encrypted and instructed the user to open it in ProtonDrive. The link again sent the target through a redirector hosted on a compromised website. The phishing kit analyzed by TDR, located on account.simpleasip[.]org, appeared to be custom built. It targeted ProtonMail accounts using an Adversary-in-the-Middle (AiTM) setup that relays two-factor authentication (2FA). Analysts found injected JavaScript designed to keep the cursor locked to the password field and to interact with an attacker-controlled API for handling CAPTCHA and 2FA prompts. Star Blizzard's infrastructure included servers hosting phishing pages and others serving as API endpoints. Many domains were tied to Namecheap services, while some earlier ones were registered via Regway to help analysts track the cluster over time.

Open in new tab

UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages

Microsoft and Malwarebytes have disclosed a **DNS-based ClickFix variant** that marks the first documented use of the `nslookup` command to stage and deliver malicious payloads. This technique abuses DNS queries to retrieve a PowerShell script embedded in the `NAME:` field of a DNS response from an attacker-controlled server (**84[.]21.189[.]20**), which then deploys **ModeloRAT** via a Python runtime and VBScript persistence mechanism. The attack chain begins with fake CAPTCHA lures, followed by social engineering tactics (e.g., fake system alerts, browser crashes, or instructional videos) to coerce victims into executing the `nslookup` command, which downloads a ZIP archive containing the final payload. This evolution builds on earlier ClickFix tactics, including **ConsentFix** (Azure CLI OAuth abuse), **CrashFix** (malicious Chrome extensions triggering browser crashes), and **SyncAppvPublishingServer.vbs** (Google Calendar dead drops). The latest DNS-based approach demonstrates the campaign’s adaptability, leveraging **trusted native tools** (`nslookup`), **DNS as a C2 channel**, and **psychological manipulation** (urgency tactics) to bypass security controls. Concurrently, ClickFix campaigns continue to expand with **cross-platform targeting** (Windows/Linux/macOS), **AI platform abuse** (ChatGPT, Grok, Claude), and **weaponized SaaS infrastructure** (Google Groups, Pastebin) to distribute payloads like **Lumma Stealer** and **Odyssey Stealer**. The integration of **DNS staging**, **browser-native execution**, and **multi-stage loaders** underscores the campaign’s resilience despite 2025 law enforcement disruptions, with actors refining tradecraft to maximize evasion via **social engineering**, **steganography**, and **legitimate service abuse**.

Open in new tab