HOMETHREATSSloppyMIO
APT / THREAT GROUP

SloppyMIO

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to HarfangLab, SloppyMIO is written in C#. It retrieves its configuration steganographically from images whose URLs are obtained via a Dead Drop Resolver (DDR) backed by GitHub. From these images, it extracts a XOR key, Telegram bot token and chat ID, and module URLs from an LSB-hidden payload. The malware can fetch and cache multiple modules from remote storage, run arbitrary commands, collect and exfiltrate files and deploy further malware with persistence via scheduled tasks. SloppyMIO beacons status messages, polls for commands and sends exfiltrated files over to a specified operator leveraging the Telegram Bot API for command-and-control.

Threat Analysis

SloppyMIO is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

win.sloppy_mioSloppyMIO

External Intelligence

Malpedia: win.sloppy_mio

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
SloppyMIO — APT / Threat Group | Threat Intelligence | CTIWATCH.COM