Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

JunkFiction

JunkFiction is a loader associated with the financially motivated threat actor Hive0163 and with Interlock ransomware operations. IBM X-Force reporting places it in Hive0163’s broader malware toolkit alongside NodeSnake and InterlockRAT, where it is used to support long-term access and follow-on payload delivery in compromised environments. The Windows Interlock ransomware payload observed by IBM was a 64-bit PE file delivered via the JunkFiction loader, typically from temporary folders. Hive0163 is described as an extortion-focused cluster involved in large-scale data exfiltration and ransomware, with initial access commonly obtained through ClickFix social engineering, malvertising, or access brokers such as TA569/SocGholish and TAG-124/KongTuke/LandUpdate808. High-confidence content directly ties JunkFiction to delivery of Interlock ransomware, but does not provide additional standalone technical details or specific IOCs for the loader itself.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Hive0163

The e-crime group is primarily associated with a wide range of malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique
T1486Data Encrypted for ImpactEvidence1
TacticImpact

The Windows Interlock ransomware is a 64-bit PE file deployed with the JunkFiction loader... It supports arguments to encrypt directories (-d) or files (-f)

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
cyber security newsNews
Mar 16, 2026
IBM Uncovers ‘Slopoly,’ Likely AI-Generated Malware Used in Hive0163 Ransomware Attack - Cyber Security News

Loader used by Hive0163 as part of its custom toolkit to help establish and maintain long-term access in compromised environments.

Read more
security affairsNews
Mar 13, 2026
AI-assisted Slopoly malware powers Hive0163’s ransomware campaigns

Loader used to deploy the Interlock ransomware payload.

Read more
the hacker newsNews
Mar 12, 2026
Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks

Loader used by Hive0163 as part of its malicious toolset.

Read more
bleeping computerNews
Mar 12, 2026
AI-generated Slopoly malware used in Interlock ransomware attack

Loader used to deliver the Interlock ransomware payload (64-bit Windows executable) in the observed attacks.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.