Hive0163 extortion and ransomware campaign using ClickFix and malvertising
Campaign
Summary
Hide ▲
Show ▼
Hive0163 is running an active extortion and ransomware campaign that expands access and raises the risk of large-scale data exfiltration. The operation uses ClickFix, malvertising, and initial-access brokers to reach victims. Associated tooling includes NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware. In one observed intrusion in early 2026, the actor maintained persistent access on a compromised server for more than a week.
Related Happenings
ClickFix attacks with PySoxy scheduled-task persistence
Malware Activity
First: 12.05.2026 15:00
Last: 12.05.2026 15:00
Sources 1
About this happening:
Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...
ClickFix attacks with PySoxy scheduled-task persistence
Malware ActivityAbout this happening: Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/Mitigation
First: 07.05.2026 21:00
Last: 07.05.2026 21:00
Sources 1
About this happening:
The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/MitigationAbout this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
Fast16 Lua-based network worm
Malware Activity
First: 27.04.2026 16:09
Last: 27.04.2026 16:09
Sources 1
About this happening:
Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...
Fast16 Lua-based network worm
Malware ActivityAbout this happening: Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...
Medusa ransomware post-compromise deployment
Malware Activity
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Storm-1175 high-velocity zero-day and N-day intrusion campaign
Campaign
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity intrusion campaign** that chains **zero-day** and **N-day vulnerabilities** to gain initial access to exposed systems, raising the risk...
Storm-1175 high-velocity zero-day and N-day intrusion campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity intrusion campaign** that chains **zero-day** and **N-day vulnerabilities** to gain initial access to exposed systems, raising the risk...
Timeline
-
12.03.2026 19:02 2 articles · 2mo ago
Hive0163 Slopoly disclosure
Initial DisclosureResearchers disclosed Slopoly, a suspected AI-generated PowerShell backdoor used by Hive0163 in a ransomware operation, and linked it to an early-2026 intrusion where a victim was steered through ClickFix to run PowerShell, download NodeSnake, and later receive Slopoly during post-exploitation. The malware can beacon system data to a C2 server, poll for commands, execute them via cmd.exe, and help deliver Interlock RAT and Interlock ransomware while maintaining persistence through a scheduled task called "Runtime Broker".
Show sources
- Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks — thehackernews.com — 12.03.2026 19:02
- Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks — thehackernews.com — 12.03.2026 19:02