Hive0163

Hive0163 is a financially motivated threat actor focused on extortion through large-scale data exfiltration and ransomware. IBM X-Force links the group to Interlock ransomware activity and describes it as using a growing set of custom-built tools to maintain persistence and support post-compromise operations. Reported tooling associated with Hive0163 includes Slopoly, NodeSnake, InterlockRAT, and the JunkFiction loader. IBM X-Force also reported possible associations with developers or operators tied to Broomstick, Supper, PortStarter, SystemBC, SocksShell, and Rhysida ransomware, and assessed that several Hive0163 subclusters share crypters, malware frameworks, and ransomware variants. Observed Hive0163 intrusion chains include ClickFix social engineering for initial access, including fake CAPTCHA-style lures that trick victims into executing malicious PowerShell via Win+R. The group is also reported to use malvertising and to rely on initial access brokers TA569 (SocGholish) and TAG-124 (KongTuke, LandUpdate808). In observed attacks, ClickFix-delivered PowerShell downloaded NodeSnake, which is used to run shell commands, establish persistence, and retrieve additional payloads such as InterlockRAT. InterlockRAT supports reverse shells, SOCKS5 tunneling, web socket communication, and remote command execution. Hive0163 has also been observed deploying dual-use tools such as AzCopy and Advanced IP Scanner for expansion and lateral movement. A notable Hive0163 capability is Slopoly, a likely AI-assisted PowerShell backdoor disclosed by IBM X-Force. Slopoly was observed in early 2026 during a ransomware intrusion, where it maintained persistent access to a compromised server for more than a week. It was deployed in C:\ProgramData\Microsoft\Windows\Runtime\ and established persistence via a scheduled task named "Runtime Broker." Slopoly functions as a command-and-control client and backdoor: it collects system information, sends heartbeat beacons to a C2 server, polls for commands, executes them through cmd.exe, and returns results. IBM X-Force assessed that Slopoly was likely developed with assistance from a large language model based on extensive comments, logging, error handling, and clearly named variables, although the malware was not considered technically advanced and was not truly polymorphic despite script comments describing it as a "Polymorphic C2 Persistence Client." The broader Hive0163 malware framework has been described as having implementations in PowerShell, PHP, C/C++, Java, and JavaScript, supporting both Windows and Linux. Reported framework capabilities include fetching commands from remote servers, launching SOCKS5 proxy tunnels, spawning reverse shells, and delivering additional payloads including Interlock ransomware and Slopoly. Overall, the reporting characterizes Hive0163 as an extortion-focused ransomware actor with custom tooling, persistent access tradecraft, and repeated use of ClickFix, malvertising, and brokered access.