Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Slopoly backdoor used in Interlock ransomware intrusion

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The Slopoly backdoor was identified in an Interlock ransomware intrusion after it kept a compromised server active for more than a week and enabled data theft. It ran as a PowerShell C2 client, giving operators persistence and command execution inside the server. The code also showed signs of LLM-assisted development, suggesting AI tools may be helping attackers build custom malware faster and evade detection.

Related Happenings

Hive0163 extortion and ransomware campaign using ClickFix and malvertising

Campaign
First: 12.03.2026 19:02 Last: 12.03.2026 19:02 Sources 1

About this happening: Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...

Open Happening

ModeloRAT DNS-delivered malware staging

Malware Activity
First: 16.02.2026 02:29 Last: 16.02.2026 02:29 Sources 1

About this happening: **ModeloRAT** is now being delivered through a **DNS-based staging chain**, increasing the chance that malicious traffic blends into ordinary name-resolution activity. In the obse...

Open Happening

LummaStealer infection surge via CastleLoader

Malware Activity
First: 11.02.2026 19:02 Last: 11.02.2026 19:02 Sources 1

About this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...

Latest development: 06.03.2026 08:44

Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

Open Happening

Mustang Panda multi-country espionage campaign against government and telecom targets

Campaign
First: 28.01.2026 13:40 Last: 28.01.2026 13:40 Sources 1

About this happening: A **Mustang Panda** espionage campaign targeted **government entities** across **Myanmar, Mongolia, Malaysia, and Russia**, showing sustained multi-country activity from **2021-20...

Open Happening

LOTUSLITE backdoor delivered via DLL side-loading and C2 beaconing

Malware Activity
First: 16.01.2026 12:27 Last: 16.01.2026 12:27 Sources 1

About this happening: The **LOTUSLITE** backdoor was delivered as a malicious DLL through **DLL side-loading**, giving the implant a foothold for **beaconing**, **remote tasking**, and **data exfiltrat...

Open Happening

Timeline

  1. 12.03.2026 22:01 2 articles · 2mo ago

    Slopoly backdoor disclosed in Interlock ransomware intrusion

    Initial Disclosure

    IBM X-Force identified the Slopoly backdoor in an Interlock ransomware intrusion that began with a ClickFix ruse; the PowerShell script acted as a C2 client, supported persistence and command execution, polled for commands at /api/commands, executed payloads via cmd.exe, and helped maintain access on a compromised server for more than a week while data was stolen. The script also showed strong indicators of LLM-assisted development, lacked true self-modifying behavior despite "Polymorphic C2 Persistence Client" comments, and the activity was attributed to Hive0163.

    Show sources
    Open in new tab