Cybersecurity researchers have revealed details of a suspected artificial intelligence (AI)-generated malware codenamed “Slopoly” used by a financially motivated attacker named Hive0163.
“Although AI-generated malware like Slopoly is still relatively under the radar, it shows how easily threat actors can weaponize AI and develop new malware frameworks in a fraction of the time it took before,” IBM X-Force researcher Golo Mühr said in a report shared with The Hacker News.
Hive0163’s operations are driven by large-scale data theft and ransomware extortion. This e-criminal group is primarily associated with a wide range of malicious tools such as NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware.
In one ransomware attack the company observed in early 2026, attackers were observed deploying Slopoly in the post-exploitation phase to maintain persistent access to a compromised server for more than a week.
The discovery of Slopoly can likely be traced back to a PowerShell script deployed by the builder. This script also established persistence via a scheduled task called “Runtime Broker”.
The malware appears to have been developed using a yet-to-be-determined Large-Scale Language Model (LLM). This includes extensive comments, logging, error handling, and the presence of precisely named variables. The comments also describe this script as a “polymorphic C2 persistent client,” indicating that it is part of the command and control (C2) framework.
“However, this script is not sophisticated and cannot modify its own code during execution, so it is highly unlikely to be polymorphic,” Muir said. “However, builders may generate new clients with different randomized configuration values and function names. This is standard practice for malware builders.”
The PowerShell script acts as a full-fledged backdoor that beacons a heartbeat message containing system information to the C2 server every 30 seconds, polls for new commands every 50 seconds, executes them via “cmd.exe”, and relays the results back to the server. The exact nature of the commands executed on the compromised network is currently unknown.
The attack itself allegedly utilized ClickFix social engineering tactics to trick victims into running PowerShell commands and downloading NodeSnake, a known malware attributed to Hive0163. The first stage component, NodeSnake, is designed to execute shell commands, establish persistence, and retrieve and launch a broader malware framework called Interlock RAT.
Hive0163 has a track record of employing ClickFix and malvertising for initial access. Another method used by threat actors to establish a foothold is to rely on early access brokers such as TA569 (aka SocGholish) and TAG-124 (aka KongTuke and LandUpdate808).
The framework has multiple implementations in PowerShell, PHP, C/C++, Java, and JavaScript, and supports both Windows and Linux. Similar to NodeSnake, it communicates with a remote server to obtain commands, launches a SOCKS5 proxy tunnel, and spawns a reverse shell on the infected machine, allowing it to deliver more payloads such as Interlock ransomware and Slopoly.
The emergence of Slopoly adds to the growing list of AI-assisted malware that also includes VoidLink and PromptSpy, highlighting how malicious actors are leveraging this technology to accelerate malware development and scale their operations.
“The introduction of AI-generated malware does not pose a new or advanced threat from a technical perspective,” IBM X-Force said in a statement. “It reduces the time required for operators to develop and execute attacks, allowing attackers to attack disproportionately.”
Source link
