AI‑Generated “Slopoly” Malware Powers Interlock Ransomware Attack, Exfiltrating Enterprise Data
What Happened – A new PowerShell‑based backdoor named Slopoly, identified as being generated with a large‑language‑model, was deployed as the persistence client in an Interlock ransomware campaign. The attackers used a ClickFix social‑engineering lure, maintained foothold for over a week, harvested system information, and stole data before encrypting files.
Why It Matters for TPRM –
- AI‑assisted malware can be produced rapidly, expanding the pool of custom threats that third‑party vendors may face.
- The use of a generative‑AI builder masks traditional malware signatures, reducing the effectiveness of existing detection controls.
- Prolonged undetected access (≥7 days) increases the likelihood of sensitive data exposure across supply‑chain environments.
Who Is Affected – Organizations that host Windows servers, especially those using remote support tools (e.g., ClickFix) and relying on third‑party SaaS or cloud‑hosted workloads.
Recommended Actions –
- Review any third‑party services that employ remote‑support utilities; enforce MFA and least‑privilege access.
- Update detection rules to flag anomalous PowerShell scripts with extensive comments, structured logging, and unusual persistence mechanisms.
- Conduct a focused audit of recent logins and scheduled tasks on critical servers for signs of the “Runtime Broker” task.
Technical Notes – The Slopoly script runs from C:\ProgramData\Microsoft\Windows\Runtime\, creates a scheduled task for persistence, beacons to a C2 endpoint every 30 seconds, and can download/execute EXE, DLL, or JavaScript payloads. Attack vector originated from a ClickFix phishing flow; no true polymorphic code was observed, but the builder can generate new variants with randomized configuration values. Source: BleepingComputer