IBM Uncovers ‘Slopoly’: AI-Generated Malware in Hive0163 Ransomware Attack
In early 2026, IBM’s X-Force team identified a new malware strain named Slopoly, believed to be generated by artificial intelligence. This malware was deployed during a ransomware attack orchestrated by the financially motivated threat group Hive0163, marking a significant evolution in cybercriminal tactics.
Hive0163: A Profile of Persistence
Hive0163 is a well-documented cluster of threat actors known for executing high-profile global ransomware attacks, notably involving the Interlock ransomware variant. Their toolkit includes custom-built tools such as private crypters, backdoor malware like NodeSnake and InterlockRAT, and the JunkFiction loader. These tools are designed to ensure prolonged access to compromised networks. For initial access, Hive0163 employs techniques like ClickFix attacks and malvertising, often collaborating with initial access brokers to reach their targets. This collaboration positions Hive0163 among the more connected and resourceful ransomware groups currently active.
Discovery and Deployment of Slopoly
IBM analysts discovered Slopoly during an active ransomware engagement. The script was found on an already-infected server, functioning as the client component of a custom command-and-control (C2) framework. It was deployed in the directory `C:\ProgramData\Microsoft\Windows\Runtime\` and maintained persistence through a scheduled task named Runtime Broker. Hive0163 utilized Slopoly to sustain access to the compromised server for over a week, although specific commands executed during this period were not recovered.
Indicators of AI-Generated Code
The structure of the Slopoly script exhibits characteristics indicative of AI generation. It features extensive comments, consistent error handling, and clearly named variables—hallmarks of code produced by large language models. Notably, the script contains an unused Jitter function, likely a remnant from an iterative AI development process. Despite self-identifying as a Polymorphic C2 Persistence Client, the malware lacks the capability to modify its own code during execution, rendering the label misleading. IBM X-Force could not determine the specific AI model used to generate Slopoly, though the overall quality suggests the involvement of a less advanced tool.
Implications of AI in Malware Development
The emergence of Slopoly underscores a pivotal shift in cybercriminal methodologies. Attackers no longer require deep programming expertise to create functional malware; AI can now handle much of the development process. This democratization of malware creation lowers the barrier to entry for cybercriminals, potentially leading to an increase in the volume and sophistication of attacks. Palo Alto’s Unit 42, in their 2026 Global Incident Response Report, observed similar patterns of AI adoption in ransomware campaigns, further validating this trend across the broader threat landscape.
The ClickFix Entry Point and Attack Chain
The intrusion began with a ClickFix attack, a social engineering technique that manipulates victims into executing a malicious PowerShell script. Attackers present a fake CAPTCHA-like verification page that silently copies a harmful command to the user’s clipboard. The victim is then prompted to press Win+R, paste the content, and press Enter, unknowingly executing the malware.
This initial access led to a layered deployment chain. First, NodeSnake, a Node.js-based backdoor, was installed, connecting to a C2 server via HTTP POST requests. Subsequently, the more advanced InterlockRAT was deployed, adding web socket communication, a SOCKS5 tunnel, and a reverse shell, enhancing the attackers’ control over the compromised system.
Broader Context: AI-Generated Malware Trends
The discovery of Slopoly is part of a broader trend where cybercriminals are leveraging AI to enhance their operations. In August 2025, ESET Research identified PromptLock, the first-known AI-powered ransomware, which utilized OpenAI’s `gpt-oss:20b` model to generate malicious Lua scripts. Similarly, in September 2025, SentinelLABS reported on MalTerminal, malware that employed OpenAI’s GPT-4 model to dynamically generate malicious code, including ransomware and reverse shells. These instances highlight a growing trend of AI integration into malware development, enabling more dynamic and evasive threats.
Mitigation Strategies
The integration of AI into malware development necessitates a reevaluation of cybersecurity strategies. Organizations should consider the following measures:
1. Enhanced Detection Mechanisms: Develop and deploy advanced detection systems capable of identifying AI-generated code patterns and behaviors.
2. User Education: Conduct regular training sessions to educate employees about emerging social engineering techniques, such as ClickFix attacks, to reduce the likelihood of successful intrusions.
3. Regular System Audits: Implement routine audits to detect unauthorized scripts or scheduled tasks that may indicate persistent threats.
4. AI-Powered Defense Tools: Leverage AI-driven security solutions to anticipate and counteract AI-generated threats effectively.
Conclusion
The identification of Slopoly by IBM’s X-Force team signifies a critical juncture in cybersecurity. The utilization of AI in malware development by groups like Hive0163 exemplifies the evolving threat landscape. As cybercriminals continue to adopt AI technologies, it is imperative for organizations to enhance their defensive strategies, incorporating advanced detection mechanisms and comprehensive user education to mitigate the risks posed by these sophisticated attacks.
