Ransomware Group Hive0163’s AI Experiment: Introducing Slopoly
The cybersecurity landscape is undergoing significant transformations as ransomware group Hive0163 initiates the use of an innovative malware framework, identified as “Slopoly.” This development highlights a notable pivot towards the use of artificial intelligence (AI) in executing cyberattacks, showcasing how threat actors are increasingly leveraging advanced technologies to refine their attack strategies.
The "Slopoly" malware appears to be relatively straightforward in its architecture; however, its existence indicates a rapid evolutionary process in the capabilities of threat actors. They are now able to create and iterate on custom command-and-control (C2) clients using large language models (LLMs), which significantly enhances their operational efficacy. LLMs are sophisticated AI systems that can generate human-like text, and their application in the realm of cybersecurity represents an alarming trend for organizations worldwide.
Hive0163 is primarily motivated by financial gain and is linked to a number of major ransomware incidents, particularly those involving the deployment of Interlock ransomware for data theft and extortion purposes. This group operates with a diverse suite of malware tools, including private crypters and various backdoors, such as NodeSnake, InterlockRAT, and the JunkFiction loader. The incorporation of these tools provides Hive0163 with a flexible approach to maintain persistence, execute lateral movements within networks, and perform encryption at scale.
In an incident examined by IBM X-Force in early 2026, the group’s operational methodology became evident. During the attack, multiple backdoors were initially employed before the introduction of Slopoly later in the intrusion. This suggests that the group was actively testing the AI-generated framework in a real-world setting during an ongoing ransomware operation, reinforcing the notion that AI tools are being incrementally integrated into existing cyberattack strategies rather than being completely overhauled.
The Functionality of Slopoly
The distinctive functionality of the Slopoly framework was brought to light by X-Force analysts, who detected a PowerShell script acting as the C2 client on an infected server. This script was identified subsequent to a ClickFix social engineering attack, where the victim was deceived into executing a harmful PowerShell command from the Windows Run dialog. Once installed, the malicious script was hidden within system folders, particularly under “C:\ProgramData\Microsoft\Windows\Runtime,” and it utilized a scheduled task named “Runtime Broker” to secure persistent access to the compromised server for an extended period.
The characteristics of the Slopoly code suggest a strong connection to LLM-generated software. Analysts noted its extensive comments, structured logging, and organized variable naming conventions. Intriguingly, the script labeled itself a “Polymorphic C2 Persistence Client,” even though it lacked true polymorphic functionality. This duality underscores the limitations of the current AI-generated malware techniques, which, while simplistic, provide a robust framework that enables attackers to operationalize their threats effectively.
Slopoly communicates with its C2 server by sending periodic JSON “heartbeat” beacons. It executes received commands through cmd.exe and logs the activity into a persistence.log file. This method creates an uncomplicated yet efficient backdoor, paving the way for further malicious activities.
Pathway to Interlock Ransomware
As the attack escalated, Hive0163 utilized Slopoly to deploy NodeSnake—a Node.js-based initial C2 client capable of downloading malicious payloads, executing shell commands, and modifying its operational parameters. Subsequently, this set the stage for the introduction of InterlockRAT, a more complex JavaScript-based backdoor with enhanced functionalities such as WebSocket-based command and control, SOCKS5 tunneling, and reverse shell capabilities.
The delivery mechanism for the Windows variant of Interlock involved encapsulating it within a JunkFiction loader, which is typically executed from a temporary user directory. This ransomware variant offers multiple command-line options, including the ability to selectively encrypt directories or files, run as a scheduled task, self-delete post-execution, and secure encryption keys in discrete folders, thus enhancing the threat level it poses.
During subsequent phases of the intrusion, Hive0163 deployed Slopoly alongside standard ransomware tools such as AzCopy for data exfiltration and Advanced IP Scanner for reconnaissance. This meticulous stratagem ultimately culminated in the execution of the Interlock ransomware attack, encrypting files across the targeted network.
Implications for Cybersecurity
Although technically simplistic, the Slopoly framework underscores the speed and efficiency with which cybercriminals can harness AI technologies to create effective backdoors tailored for specific operational needs. This mirrors insights from Palo Alto Networks’ Unit 42, which asserts that AI is significantly compressing attack timelines, lowering barriers for entry into the cybercriminal world, and enabling more scalable and organized cyberattacks through templated, AI-assisted scripts.
IBM X-Force’s assessment posits that the model underpinning Slopoly likely stems from a less advanced LLM, yet it still has resulted in a functional C2 client that was operationalized by a high-impact ransomware group. As cybercriminals gain access to increasingly weaponized forms of AI, it becomes imperative for cybersecurity defenders to evolve their detection and incident response strategies. The challenges ahead revolve around addressing more ephemeral and rapidly generated malware families, complicating clustering and tracking efforts in an ever-evolving digital landscape.
In summary, the emergence of Slopoly signifies an escalating war in the cyber domain, one where AI is not merely an enhancement but a fundamental component in the toolkit of cybercriminals. This ongoing battle necessitates rigorous adaptation and vigilance from cybersecurity professionals to effectively counter these sophisticated, AI-powered threats.