Slopoly: The AI-Generated Malware Used by Hive0163

Artificial intelligence (AI) has now found its way into the world of cybercrime, with the emergence of a new malware known as Slopoly. This sophisticated malware has been attributed to the financially motivated threat actor known as Hive0163.

The use of AI in creating malware, such as Slopoly, demonstrates how threat actors can quickly develop new malicious frameworks. According to IBM X-Force researcher Golo Mühr, this AI-generated malware allows threat actors to weaponize AI and create malware more efficiently than ever before.

Hive0163 is known for its operations involving extortion through data exfiltration and ransomware attacks. The group has been associated with various malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware.

In a recent ransomware attack witnessed in early 2026, Hive0163 deployed Slopoly during the post-exploitation phase to maintain access to compromised servers for an extended period. The malware was discovered as a PowerShell script deployed through a builder, with persistence established via a scheduled task named “Runtime Broker.”

Analysis of Slopoly suggests that it may have been developed using a large language model (LLM), as evidenced by extensive comments, accurate variable names, and descriptions within the script. While the malware is not considered polymorphic, it can generate new clients with randomized configurations, a common practice among malware developers.

The PowerShell script acts as a backdoor, sending system information to a command-and-control (C2) server, executing commands, and relaying results back to the server. The specific commands executed by Slopoly on compromised networks remain unknown.

The attack involving Slopoly utilized the ClickFix social engineering tactic to trick victims into running a PowerShell command, leading to the download of NodeSnake, a malware associated with Hive0163. NodeSnake, in turn, establishes persistence, retrieves Interlock RAT, and launches further malicious activities.

Hive0163 is known to use ClickFix, malvertising, and initial access brokers such as TA569 and TAG-124 to gain entry into target systems. The malware framework, which includes PowerShell, PHP, C/C++, Java, and JavaScript implementations, communicates with remote servers to execute commands and deploy additional payloads like Interlock ransomware and Slopoly.

The emergence of Slopoly underscores the trend of AI-assisted malware, joining the likes of VoidLink and PromptSpy. This trend highlights how threat actors leverage AI technology to accelerate malware development and enhance their operations.

While AI-generated malware may not pose a new technical threat, it significantly reduces the time needed for threat actors to plan and execute attacks. IBM X-Force emphasizes that AI in cybercrime enables threat actors to scale their operations effectively.