Perceptive Security
SOC/SIEM Consultancy
AI-generated Slopoly malware used in Interlock ransomware attack
Published:
12 maart 2026 om 20:01:27
Alert date:
12 maart 2026 om 21:01:52
Source:
bleepingcomputer.com
Ransomware & Malware, Emerging Technologies, Data Breach & Exfiltration
A new AI-generated malware strain called Slopoly was used in an Interlock ransomware attack. The malware allowed threat actors to maintain persistence on a compromised server for over a week. During this time, the attackers were able to steal data before deploying the ransomware. The Slopoly malware appears to have been created using generative AI tools, representing an evolution in how cybercriminals are developing malicious software. This incident demonstrates the growing sophistication of ransomware operations and the integration of AI technologies in cyberattacks.
Technical details
Slopoly is an AI-generated malware strain used as a PowerShell backdoor client for C2 frameworks. It was likely created using Large Language Models (LLM) as evidenced by extensive code commentary, structured logging, error handling, and clearly named variables. The malware deploys in C:\ProgramData\Microsoft\Windows\Runtime\ and functions include: collecting system information, sending heartbeat beacons every 30 seconds to /api/commands, polling for commands every 50 seconds, executing commands via cmd.exe, maintaining persistence.log files, and establishing persistence through a scheduled task named 'Runtime Broker'. It supports downloading and executing EXE/DLL/JavaScript payloads, running shell commands, changing beaconing intervals, updating itself, and process termination. The attack chain starts with ClickFix social engineering and deploys multiple components including NodeSnake and InterlockRAT backdoors. Interlock ransomware is a 64-bit Windows executable delivered via JunkFiction loader, running as SYSTEM scheduled task, using Windows Restart Manager API to release locked files and appending '.!NT3RLOCK' or '.int3R1Ock' extensions to encrypted files.
Mitigation steps:
Monitor for suspicious PowerShell scripts in C:\ProgramData\Microsoft\Windows\Runtime\ directory, detect scheduled tasks named 'Runtime Broker', monitor network traffic to /api/commands endpoints with 30-50 second intervals, watch for files with .!NT3RLOCK or .int3R1Ock extensions, implement detection for ClickFix social engineering campaigns, monitor for persistence.log file creation, detect JunkFiction loader activity, watch for NodeSnake and InterlockRAT backdoor indicators
Affected products:
Windows operating systems
PowerShell
cmd.exe
Windows Task Scheduler
Windows Restart Manager API
Related links:
https://www.ibm.com/think/x-force/slopoly-start-ai-enhanced-ransomware-attacks
https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-deploys-new-nodesnake-rat-on-universities/
https://www.bleepingcomputer.com/news/security/meet-interlock-the-new-ransomware-targeting-freebsd-servers/
https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-pushes-fake-it-tools-in-clickfix-attacks/
https://www.bleepingcomputer.com/news/security/interlock-ransomware-adopts-filefix-method-to-deliver-malware/
https://www.bleepingcomputer.com/news/security/texas-tech-university-system-data-breach-impacts-14-million-patients/
https://www.bleepingcomputer.com/news/security/davita-ransomware-attack-exposed-data-of-nearly-27-million-people/
https://www.bleepingcomputer.com/news/security/kettering-health-confirms-interlock-ransomware-behind-cyberattack/
https://www.bleepingcomputer.com/news/security/saint-paul-cyberattack-linked-to-interlock-ransomware-gang/
Related CVE's:
Related threat actors:
IOC's:
C:\ProgramData\Microsoft\Windows\Runtime\, /api/commands, Runtime Broker, persistence.log, .!NT3RLOCK, .int3R1Ock, JunkFiction loader, NodeSnake backdoor, InterlockRAT backdoor
This article was created with the assistance of AI technology by Perceptive.