Hive0163

Also known as: Hive0163

Hive0163 is a financially motivated ransomware group responsible for deploying Interlock ransomware, utilizing ClickFix social engineering for initial access. They employ the AI-generated PowerShell backdoor Slopoly for persistent command-and-control access, which checks in with attacker infrastructure every 50 seconds and transmits telemetry every 30 seconds. The group leverages AzCopy for bulk data exfiltration to Azure blob storage before executing ransomware, employing a five-stage attack chain. Their operations are characterized by the use of initial access brokers and a variety of custom backdoors for long-term access and data exfiltration.

Introduction

Hive0163 is a financially motivated ransomware group responsible for deploying Interlock ransomware, utilizing ClickFix social engineering for initial access. They employ the AI-generated PowerShell backdoor Slopoly for persistent command-and-control access, which checks in with attacker infrastructure every 50 seconds and transmits telemetry every 30 seconds. The group leverages AzCopy for bulk data exfiltration to Azure blob storage before executing ransomware, employing a five-stage attack chain. Their operations are characterized by the use of initial access brokers and a variety of custom backdoors for long-term access and data exfiltration.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Backdoor.Oldrea:
  • PowerDuke:
  • POWERSTATS:
  • Power Loader:
  • POWERSOURCE:
  • PowerRAT:

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.