Hive0163 is a financially motivated ransomware group responsible for deploying Interlock ransomware, utilizing ClickFix social engineering for initial access. They employ the AI-generated PowerShell backdoor Slopoly for persistent command-and-control access, which checks in with attacker infrastructure every 50 seconds and transmits telemetry every 30 seconds. The group leverages AzCopy for bulk data exfiltration to Azure blob storage before executing ransomware, employing a five-stage attack chain. Their operations are characterized by the use of initial access brokers and a variety of custom backdoors for long-term access and data exfiltration.
References
Actor metadata imported from Malpedia (Fraunhofer FKIE).