Hive0163 deploys AI-generated Slopoly malware to maintain persistent access in ransomware attacks

Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks

Cybersecurity researchers have disclosed details of a suspected artificial intelligence (AI)-generated malware codenamed Slopoly put to use by a financially motivated threat actor named Hive0163. "Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take," IBM X-Force researcher Golo Mühr said in a report shared with The Hacker News. Hive0163's operations are driven by extortion through large-scale data exfiltration and ransomware. The e-crime group is primarily associated with a wide range of malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware. In one ransomware attack observed by the company in early 2026, the threat actor was observed deploying Slopoly during the post-exploitation phase so as to maintain persistent access to the compromised server for more than a week. Slopoly's discovery can be traced back to a PowerShell script that's likely deployed by means of a builder, which also established persistence via a scheduled task called "Runtime Broker." There are signs that the malware was developed with the help of an as-yet-undetermined large language model (LLM). This includes the presence of extensive comments, logging, error handling, and accurately named variables. The comments also describe the script as a "Polymorphic C2 Persistence Client," indicating that it's part of a command-and-control (C2) framework. "However, the script does not possess any advanced techniques and can hardly be considered polymorphic, since it's unable to modify its own code during execution," Mühr noted. "The builder may, however, generate new clients with different randomized configuration values and function names, which is standard practice among malware builders." The PowerShell script functions as a full-fledged backdoor that can beacon a heartbeat message containing system information to a C2 server every 30 seconds, poll for a new command every 50 seconds, execute it via "cmd.exe," and relay the results back to the server. The exact nature of the commands run on the compromised network is currently unknown. The attack in itself is said to have leveraged the ClickFix social engineering tactic to trick a victim into running a PowerShell command, which then downloads NodeSnake, a known malware attributed to Hive0163. A first-stage component, NodeSnake, is designed to run shell commands, establish persistence, and retrieve and launch a wider malware framework referred to as Interlock RAT. Hive0163 has a track record of employing ClickFix and malvertising for initial access. Another method the threat actor uses to establish a foothold is by relying on initial access brokers such as TA569 (aka SocGholish) and TAG-124 (aka KongTuke and LandUpdate808). The framework has multiple implementations in PowerShell, PHP, C/C++, Java, and JavaScript to support both Windows and Linux. Like NodeSnake, it also communicates with a remote server to fetch commands that allow it to launch a SOCKS5 proxy tunnel, spawn a reverse shell on the infected machine, and deliver more payloads, such as Interlock ransomware and Slopoly. The emergence of Slopoly adds to a growing list of AI-assisted malware, which also includes VoidLink and PromptSpy, highlighting how bad actors are using the technology to accelerate malware development and scale their operations. "The introduction of AI-generated malware does not pose a new or sophisticated threat from a technical standpoint," IBM X-Force said. "It disproportionately enables threat actors by reducing the time an operator needs to develop and execute an attack."

AI-generated Slopoly malware used in Interlock ransomware attack

A new malware strain dubbed Slopoly, likely created using generative AI tools, allowed a threat actor to remain on a compromised server for more than a week and steal data in an Interlock ransomware attack. The breach started with a ClickFix ruse, and in later stages of the attack, the hackers deployed the Slopoly backdoor as a PowerShell script acting as a client for the command-and-control (C2) framework. IBM X-Force researchers analyzed the script and found strong indicators that it was created using a large language model (LLM), but could not determine which one. Evidence pointing to AI-assisted development includes extensive commentary in the code, structured logging, error handling, and clearly named variables. All this is rare in human-developed malware. They attributed the attack to a financially motivated group they track as Hive0163, "whose main objective is extortion through large-scale data exfiltration and ransomware." According to the researchers, Slopoly is rather unsophisticated, although its deployment in ransomware operators' attack chains indicates that AI tools are actively used to accelerate custom malware development, which can help evade detection. Although comments in the Slopoly script describe it as a "Polymorphic C2 Persistence Client," IBM X-Force did not find any feature that would allow modifying its own code during execution. "The script does not possess any advanced techniques and can hardly be considered polymorphic, since it's unable to modify its own code during execution," reads the IBM report. "The builder may, however, generate new clients with different randomized configuration values and function names, which is standard practice among malware builders." IBM X-Force researchers believe that Slopoly was generated by a builder that inserted configuration values, such as beaconing intervals, command-and-control addresses, mutex names, and session IDs. The malware is deployed in , and its main functions include: The commands it supports allow downloading and executing EXE, DLL, or JavaScript payloads; running shell commands and returning the results; changing beaconing intervals; updating itself; or exiting its own process. The attack IBM observed started with a ClickFix social engineering flow, and deployed multiple malware components besides Slopoly, including the NodeSnake and InterlockRAT backdoors. The Interlock ransomware payload observed in the attacks reported by IBM is a 64-bit Windows executable delivered via the JunkFiction loader. It can execute as a scheduled task running as SYSTEM, and uses Windows Restart Manager API to release locked files, appending the '. !NT3RLOCK' or '.int3R1Ock' extensions on their encrypted copies. IBM reports that Hive0163 may also have associations with the developers behind Broomstick, SocksShell, PortStarter, SystemBC, and the Rhysida ransomware operators.