Hive0163’s AI-Generated Slopoly Malware Enhances Ransomware Persistence
In a significant development within the cybersecurity landscape, researchers have unveiled details about Slopoly, a malware believed to be generated using artificial intelligence (AI). This sophisticated tool is employed by the financially motivated threat group known as Hive0163 to maintain persistent access during ransomware attacks.
According to Golo Mühr, a researcher at IBM X-Force, Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take. This statement underscores the evolving threat posed by AI-assisted cyberattacks.
Hive0163’s Malicious Arsenal
Hive0163 has been associated with a variety of malicious tools, including:
– NodeSnake: A first-stage malware component designed to execute shell commands, establish persistence, and retrieve additional payloads.
– Interlock RAT: A remote access trojan that facilitates unauthorized control over compromised systems.
– JunkFiction Loader: A loader used to deploy various malware strains onto infected machines.
– Interlock Ransomware: A ransomware variant used to encrypt victim data and demand ransom payments.
In early 2026, during a ransomware attack, Hive0163 deployed Slopoly in the post-exploitation phase, enabling the group to maintain access to a compromised server for over a week.
Unveiling Slopoly
Slopoly was discovered through a PowerShell script likely placed in the C:\ProgramData\Microsoft\Windows\Runtime\ directory via a builder tool. Persistence is achieved by creating a scheduled task named Runtime Broker.
Indicators suggest that Slopoly was developed with assistance from an unidentified large language model (LLM). Evidence includes extensive comments, detailed logging, robust error handling, and precisely named variables within the code. Notably, comments within the script describe it as a Polymorphic C2 Persistence Client, indicating its role within a command-and-control (C2) framework.
However, Mühr notes that the script lacks advanced techniques and cannot be considered truly polymorphic, as it doesn’t modify its own code during execution. It’s possible that the builder generates new clients with varied configuration values and function names, a common practice among malware builders.
Functionality and Impact
The PowerShell script operates as a comprehensive backdoor, performing the following functions:
– Beaconing: Sends a heartbeat message containing system information to a C2 server every 30 seconds.
– Command Polling: Checks for new commands from the C2 server every 50 seconds.
– Command Execution: Executes received commands via cmd.exe and transmits the results back to the server.
The specific commands executed within the compromised network remain unknown.
Attack Methodology
The attack leveraged the ClickFix social engineering tactic to deceive the victim into executing a PowerShell command, which subsequently downloaded NodeSnake. NodeSnake serves as a first-stage component capable of running shell commands, establishing persistence, and retrieving and launching a broader malware framework known as Interlock RAT.
Hive0163 is known for employing ClickFix and malvertising for initial access. Additionally, the group collaborates with initial access brokers such as TA569 (also known as SocGholish) and TAG-124 (also referred to as KongTuke and LandUpdate808) to establish footholds in target networks.
Interlock Framework
The Interlock framework boasts multiple implementations across various programming languages, including PowerShell, PHP, C/C++, Java, and JavaScript, supporting both Windows and Linux platforms. Similar to NodeSnake, it communicates with a remote server to fetch commands that enable it to:
– Launch a SOCKS5 Proxy Tunnel: Facilitates covert communication channels.
– Spawn a Reverse Shell: Allows remote control over the infected machine.
– Deliver Additional Payloads: Deploys further malware, such as Interlock ransomware and Slopoly.
The Rise of AI-Assisted Malware
The emergence of Slopoly adds to a growing list of AI-assisted malware, including VoidLink and PromptSpy. This trend highlights how malicious actors are leveraging AI technologies to expedite malware development and scale their operations.
