Overview
- IBM X-Force attributes the Slopoly deployment to Hive0163 in an Interlock incident where the backdoor sustained access for more than a week and enabled data theft.
- Slopoly operates as a PowerShell command-and-control client that sends heartbeat beacons every 30 seconds, polls for new tasks every 50 seconds, executes them via cmd.exe, and returns output to its server.
- Investigators observed persistence via a scheduled task named Runtime Broker with files placed under C:\ProgramData\Microsoft\Windows\Runtime\ on victim systems.
- Extensive comments and structured logging point to large language model generation, yet IBM assesses the tool as technically unsophisticated and not truly polymorphic, likely produced by a builder with randomized values.
- The attack chain began with a ClickFix lure and deployed NodeSnake, InterlockRAT, and the JunkFiction loader alongside Slopoly, with indicators shared to support detection and response.