A new malware strain dubbed Slopoly, likely created using generative AI tools, allowed a threat actor to remain on a compromised server for more than a week and steal data in an Interlock ransomware attack.

The breach started with a ClickFix ruse, and in later stages of the attack, the hackers deployed the Slopoly backdoor as a PowerShell script acting as a client for the command-and-control (C2) framework.

IBM X-Force researchers analyzed the script and found strong indicators that it was created using a large language model (LLM), but could not determine which one.

Evidence pointing to AI-assisted development includes extensive commentary in the code, structured logging, error handling, and clearly named variables. All this is rare in human-developed malware.

They attributed the attack to a financially motivated group they track as Hive0163, “whose main objective is extortion through large-scale data exfiltration and ransomware.”

According to the researchers, Slopoly is rather unsophisticated, although its deployment in ransomware operators’ attack chains indicates that AI tools are actively used to accelerate custom malware development, which can help evade detection.

Although comments in the Slopoly script describe it as a “Polymorphic C2 Persistence Client,” IBM X-Force did not find any feature that would allow modifying its own code during execution.

“The script does not possess any advanced techniques and can hardly be considered polymorphic, since it’s unable to modify its own code during execution,” reads the IBM report.

“The builder may, however, generate new clients with different randomized configuration values and function names, which is standard practice among malware builders.”

IBM X-Force researchers believe that Slopoly was generated by a builder that inserted configuration values, such as beaconing intervals, command-and-control addresses, mutex names, and session IDs.

The malware is deployed in C:\ProgramData\Microsoft\Windows\Runtime\, and its main functions include:

• Collecting system information
• Sending a heartbeat beacon every 30 seconds to /api/commands
• Polling for commands every 50 seconds
• Executing received commands via cmd.exe
• Sending command output back to the C2 server
• Maintaining a rotating persistence.log file
• Establishing persistence through a scheduled task named “Runtime Broker”

The commands it supports allow downloading and executing EXE, DLL, or JavaScript payloads; running shell commands and returning the results; changing beaconing intervals; updating itself; or exiting its own process.

The attack IBM observed started with a ClickFix social engineering flow, and deployed multiple malware components besides Slopoly, including the NodeSnake and InterlockRAT backdoors.

Interlock ransomware emerged in 2024 and was an early adopter of the ClickFix social engineering technique, and later also the FileFix variant.

The threat group has previously claimed attacks against high-profile organizations such as the Texas Tech University System, DaVita, Kettering Health, and the city of Saint Paul, Minnesota.

The Interlock ransomware payload observed in the attacks reported by IBM is a 64-bit Windows executable delivered via the JunkFiction loader.

It can execute as a scheduled task running as SYSTEM, and uses Windows Restart Manager API to release locked files, appending the ‘. !NT3RLOCK’ or ‘.int3R1Ock’ extensions on their encrypted copies.

IBM reports that Hive0163 may also have associations with the developers behind Broomstick, SocksShell, PortStarter, SystemBC, and the Rhysida ransomware operators.

Cybersecurity researchers have disclosed details of a new banking malware targeting Brazilian users that’s written in Rust, marking a significant departure from other known Delphi-based malware families associated with the Latin American cybercrime ecosystem.

The malware, which is designed to infect Windows systems and was first discovered last month, has been codenamed VENON by Brazilian cybersecurity company ZenoX.

What makes VENON notable is that it shares behaviors that are consistent with established banking trojans targeting the region, such as Grandoreiro, Mekotio, and Coyote, specifically when it comes to features like banking overlay logic, active window monitoring, and a shortcut (LNK) hijacking mechanism.

The malware has not been attributed to any previously documented group or campaign. However, an earlier version of the artifact, dating back to January 2026, has been found to expose full paths from the malware author’s development environment. The paths repeatedly reference a Windows machine username “byst4” (e.g., “C:\Users\byst4\…”).

“The Rust code structure presents patterns suggesting a developer familiar with the capabilities of existing Latin American banking trojans, but who used generative AI to rewrite and expand these functionalities in Rust, a language that requires significant technical experience to use at the observed level of sophistication,” ZenoX said.

VENON is distributed by means of a sophisticated infection chain that uses DLL side-loading to launch a malicious DLL. It’s suspected that the campaign leverages social engineering ploys like ClickFix to trick users into downloading a ZIP archive containing the payloads by means of a PowerShell script.

Once the DLL is executed, it performs nine evasion techniques, including anti-sandbox checks, indirect syscalls, ETW bypass, AMSI bypass, before actually initiating any malicious actions. It also reaches out to a Google Cloud Storage URL to retrieve a configuration, install a scheduled task, and establish a WebSocket connection to the command-and-control (C2) server.

Also extracted from the DLL are two Visual Basic Script blocks that implement a shortcut hijacking mechanism exclusively targeting the Itaú banking application. The components work by replacing the legitimate system shortcuts with tampered versions that redirect the victim to a web page under the threat actor’s control.

The attack also supports an uninstall step to undo the modifications, suggesting that the operation can be remotely controlled by the operator to restore the shortcuts to what they originally were to cover up the tracks.

In all, the banking malware is equipped to target 33 financial institutions and digital asset platforms by monitoring the window title and active browser domain, springing into action only when any of the targeted applications or websites are opened to facilitate credential theft by serving fake overlays.

The disclosure comes amid campaigns where threat actors are exploiting the ubiquity of WhatsApp in Brazil to distribute a worm named SORVEPOTEL via the messaging platform’s desktop web version. The attack hinges on abusing previously authenticated chats to deliver malicious lures directly to victims, ultimately resulting in the deployment of banking malware such as Maverick, Casbaneiro, or Astaroth.

“A single WhatsApp message delivered through a hijacked SORVEPOTEL session was sufficient to draw a victim into a multi-stage chain that ultimately resulted in an Astaroth implant running fully in memory,” Blackpoint Cyber said.

“The combination of local automation tooling, unsupervised browser drivers, and user-writable runtimes created an unusually permissive environment, allowing both the worm and the final payload to establish themselves with minimal friction.”

Cybersecurity researchers have discovered half-a-dozen new Android malware families that come with capabilities to steal data from compromised devices and conduct financial fraud.

The Android malware range from traditional banking trojans like PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT to full-fledged remote administration tools such as SURXRAT.

PixRevolution, according to Zimperium, targets Brazil’s Pix instant payment platform, hijacking victims’ money transfers in real-time to route them to the threat actors instead of the intended payee.

“This new strain of malware operates stealthily within the device until the moment the victim initiates a Pix transfer,” security researcher Aazim Yaswant said. “What distinguishes this threat from conventional banking trojans is its fundamental design: a human or AI agent operator is actively engaged on the remote end, observing the victim’s phone screen instantaneously, poised to act at the precise moment of transaction.”

The Android malware propagates via fake Google Play Store app listing pages for apps like Expedia, Sicredi, and Correios to trick users into installing the malicious dropper APK files. Once installed, the apps urge users to enable accessibility services to realize their goals.

It also connects to an external server over TCP on port 9000 to send periodic heartbeat messages containing device information and activate real-time screen capture using Android’s MediaProjection API. The main functionality of PixRevolution, though, is the monitoring of the victim’s screen and serving a fake overlay as soon as a victim enters the desired amount and the Pix key of the recipient to initiate the payment.

At that point, the trojan shows a fake WebView overlay that says “Aguarde…” (meaning “wait” in Portuguese/Spanish), while, in the background, it edits the Pix key with that of the attacker’s to complete the funds transfer. In the final stage, the overlay is removed, and the victim is displayed a “transfer complete” confirmation screen in the Pix app.

“From the victim’s perspective, nothing unusual happened,” Yaswant said. “The app briefly showed a loading indicator, something that occurs routinely during legitimate banking operations. The transfer was confirmed successfully. The amount they intended to send was deducted from their account.”

“It is only later, sometimes much later, that the victim discovers the money went to the wrong account. And because Pix transfers are instant and final, recovery is extraordinarily difficult.”

Brazilian users have also become the target of another Android‑based malware campaign called BeatBanker, which spreads primarily through phishing attacks via a website disguised as the Google Play Store. BeatBanker gets its name from the use of an unusual persistence mechanism that involves playing an almost inaudible audio file, a 5-second recording featuring Chinese words, on a loop to prevent it from being terminated.

Besides incorporating runtime checks for emulated or analysis environments, the malware monitors battery temperature and percentage, and verifies whether the user is using the device to start or stop the Monero miner as required. It uses Google’s Firebase Cloud Messaging (FCM) for command‑and‑control (C2).

“To achieve their goals, the malicious APKs carry multiple components, including a cryptocurrency miner and a banking trojan capable of completely hijacking the device and spoofing screens, among other things,” Kaspersky said. “When the user tries to make a USDT transaction, BeatBanker creates overlay pages for Binance and Trust Wallet, covertly replacing the destination address with the threat actor’s transfer address.”

The banking module also monitors web browsers like Chrome, Edge, Firefox, Brave, Opera, DuckDuckGo, Dolphin Browser, and sBrowser to URLs accessed by the victim. In addition, it supports the ability to receive a long list of commands from the server to collect personal information and gain complete control of the device.

Recent iterations of the campaign have been found to drop BTMOB RAT instead of the banking module. It provides operators with comprehensive remote control, persistent access, and surveillance over compromised devices. BTMOB is assessed to be an evolution of CraxsRAT, CypherRAT, and SpySolr families, all of which have been linked to a Syrian threat actor who goes by the online alias EVLF.

“We also saw the distribution and sale of leaked BTMOB source code on some dark web forums,” the Russian security vendor said. “This may suggest that the creator of BeatBanker acquired BTMOB from its original author or the source of the leak and is utilizing it as the final payload.”

TaxiSpy RAT, similar to PixRevolution, abuses Android’s accessibility service and MediaProjection APIs to collect SMS messages, contacts, call logs, clipboard contents, installed apps list, notifications, lock screen PINs, and keystrokes, as well as target Russian banking, cryptocurrency, and government apps by serving overlays to conduct credential theft.

The malware combines traditional banking trojan functionality with full RAT capabilities, enabling threat actors to gather sensitive data and execute commands sent via Firebase push messages. Several TaxiSpy samples have been discovered by both CYFIRMA and Zimperium, indicating active efforts on the part of attackers to evade signature-based detection and blacklist defenses.

“The malware leverages advanced evasion techniques, such as native library encryption, rolling XOR string obfuscation, and real-time VNC-like remote control via WebSocket,” CYFIRMA said. “Its design allows comprehensive device surveillance, including SMS, call logs, contacts, notifications, and banking app monitoring, highlighting its financially motivated and region-specific focus.”

Another Android banking trojan of note is Mirax, which has been advertised by a threat actor named Mirax Bot as a private malware-as-a-service (MaaS) offering for a monthly price of $2,500 for a full version or $1,750 for a light variant. Mirax claims to offer banking overlays, information gathering (e.g., keystrokes, SMS, lock patterns), and a SOCKS5 proxy to route malicious traffic through compromised devices.

Mirax is not the only Android MaaS offering detected in recent months. A new Android remote access trojan called Oblivion is being sold for around $300 per month (or $1,900 per year and $2,200 for lifetime access) and claims to bypass detection and security features on devices from major manufacturers.

Once installed, the malware employs an automated permission-granting mechanism that requires no interaction from the victim. This approach, per the seller, works across MIUI / HyperOS (Xiaomi), One UI (Samsung), ColorOS (OPPO), MagicOS (Honor), and OxygenOS (OnePlus).

“What sets it apart isn’t any single feature. It’s the combination: automated permission bypass, hidden remote control, deep persistence, and a point-and-click builder that puts all of it within reach of would-be hackers with even the most minimal level of technical skill,” Certos said.

“Google has made progressive restrictions on accessibility service abuse a priority across successive Android versions. A tool that credibly bypasses those protections on the latest release – and does so across devices from Samsung, Xiaomi, OPPO, and others – represents a genuine challenge to platform-level defenses.”

Also commercially distributed through a Telegram-based MaaS ecosystem is an Android malware family called SURXRAT, which is assessed to be an improved version of Arsink. The malware abuses accessibility permissions for persistent control and communicates with a Firebase-based C2 infrastructure to commandeer infected devices. The malware is marketed on a Telegram channel managed by an Indonesian threat actor.

What’s notable about some of the new samples is the presence of a large language model (LLM) component, indicating that the threat actors behind the malware are experimenting with artificial intelligence (AI) capabilities, along with traditional surveillance. That said, the download of the LLM module is triggered only when specific gaming applications are active on the victim’s device, or when it receives alternative target package names dynamically from the server –

• Free Fire MAX x JUJUTSU KAISEN (com.dts.freefiremax)
• Free Fire x JUJUTSU KAISEN (com.dts.freefireth)

Select SURXRAT samples also incorporate a ransomware-style screen locker module that makes it possible for a remote operator to hijack control of a victim’s device and deny access by displaying a full-screen lock message until a payment is made.

“This evolution highlights how existing Android RAT frameworks continue to be repurposed and expanded by threat actors, accelerating malware development cycles and enabling rapid introduction of new surveillance and control functionalities,” Cyble said. “The observed experimentation with large AI model integration further indicates that threat actors are actively exploring emerging technologies to enhance operational effectiveness and evade detection.”

For more than a year, a Russian-speaking threat actor targeted human resource (HR) departments with malware that delivers a new EDR killer named BlackSanta.

Described as “sophisticated,” the campaign mixes social engineering with advanced evasion techniques to steal sensitive information from compromised systems.

It is unclear how the attack begins, but researchers at Aryaka, a network and security solutions provider, suspect that the malware is distributed via spear-phishing emails.

They believe that targets are directed to download ISO image files that appear as resumes and are hosted on cloud storage services, such as Dropbox.

One malicious ISO analyzed contained four files: a Windows shortcut (.LNK) disguised as a PDF file, a PowerShell script, an image, and a .ICO file.

The shortcut launches PowerShell and executes the script, which extracts data hidden in the image file using steganography and executes it in system memory.

The code also downloads a ZIP archive containing a legitimate SumatraPDF executable and a malicious DLL (DWrite.dll) to load using the DLL sideloading technique.

The malware performs system fingerprinting and sends the information to the command-and-control (C2) server, and then performs extensive environment checks to stop execution if sandboxes, virtual machines, or debugging tools are detected.

It also modifies Windows Defender settings to weaken security at the host, performs disk-write tests, and then downloads additional payloads from the C2, which are executed via process hollowing, inside legitimate processes.

BlackSanta EDR killer

A key component delivered in the campaign is an executable identified as the BlackSanta EDR killer, a module that silences endpoint security solutions before deploying malicious payloads.

BlackSanta adds Microsoft Defender exclusions for ‘.dls’ and ‘.sys’ files, and modifies a Registry value to reduce telemetry and automatic sample submission to Microsoft security cloud endpoints.

The researchers’ report notes that BlackSanta can also suppress Windows notifications to minimize or completely silence user alerts. The core function of BlackSanta is to terminate security processes, which it does by:

1. enumerating running processes
2. comparing the names against a large hardcoded list of antivirus, EDR, SIEM, and forensic tools
3. retrieving the matching process IDs
4. using the loaded drivers to unlock and terminate those processes at the kernel level

Aryaka did not share details about the target organizations or the threat actors behind the campaign, and couldn’t retrieve the final payload used in the observed case, as the C2 server was unavailable at the time of their examination.

The researchers were able to identify additional infrastructure used by the same threat actor and discovered multiple IP addresses related to the same campaign. This is how they learned that the operation had been running unnoticed for the past year.

Looking at the IP addresses, the researchers uncovered that the malware also downloaded Bring Your Own Driver (BYOD) components that included the RogueKiller Antirootkit driver v3.1.0 from Adlice Software, and IObitUnlocker.sys v1.2.0.1 from IObit.

These drivers have been used in malware operations to gain elevated privileges on the compromised machine and suppress security tools.

RogueKiller (truesight.sys) allows manipulation of kernel hooks and memory monitoring, while IObitUnlocker.sys allows bypassing file and process locks. This combination provides the malware with low-level access to system memory and processes.

Aryaka researchers say the threat actor behind the campaign shows strong operational security and uses context-aware, stealthy infection chains to deploy components such as BlackSanta EDR.