Cybersecurity researchers have uncovered a new, AI-assisted malware framework named Slopoly, deployed by the financially motivated threat actor Hive0163. According to a report from IBM X-Force shared with The Hacker News, the malware exemplifies a growing trend of adversaries leveraging artificial intelligence to accelerate and streamline malware development. "Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take," noted IBM X-Force researcher Golo Mühr. This development lowers the technical barrier for cybercriminals, enabling more rapid iteration and deployment of malicious tools in extortion and ransomware operations.
Hive0163 is a cybercrime group primarily associated with large-scale data exfiltration and ransomware attacks for financial gain. The group's toolkit includes known threats like the NodeSnake backdoor, Interlock RAT, JunkFiction loader, and Interlock ransomware. In an attack observed in early 2026, researchers identified the deployment of the Slopoly malware during the post-exploitation phase. Its purpose was to establish and maintain persistent access to a compromised server for over a week, ensuring the threat actors could continue their operations undetected and potentially deploy additional payloads like ransomware.
Technical analysis reveals that Slopoly's discovery originated from a PowerShell script, likely generated and deployed via a dedicated builder tool. This script established persistence on a victim system by creating a scheduled task named "Runtime Broker." Researchers identified several hallmarks suggesting the malware was developed with the assistance of a large language model (LLM). These indicators include extensive inline comments, detailed logging functions, robust error-handling routines, and accurately named variables. One comment within the script explicitly describes it as a "Polymorphic C2 Persistence Client," positioning it as a component within a broader command-and-control (C2) framework designed to evade detection.
However, IBM X-Force's analysis suggests the current implementation is not as sophisticated as its name implies. "The script does not possess any advanced techniques and can hardly be considered polymorphic, since it's unable to modify its own code during execution," Mühr clarified. The polymorphic characteristic likely refers to the builder's capability to generate new client variants with different randomized configuration values and function names—a standard feature in many malware-as-a-service toolkits. The PowerShell script functions as a fully operational backdoor, capable of beaconing heartbeat messages containing system information to a C2 server and awaiting further commands, thereby providing Hive0163 with a reliable foothold for prolonged network intrusion.
The emergence of Slopoly underscores a critical evolution in the cyber threat landscape: the integration of AI into the malware development lifecycle. While the current sample may lack advanced evasion techniques, it signals a future where AI can rapidly generate functional, tailored malware, test it against security solutions, and even write convincing phishing lures. This trend necessitates a proactive shift in defense strategies, emphasizing behavioral detection, robust endpoint protection, and AI-powered security tools that can keep pace with AI-augmented threats. Organizations must prioritize security hygiene, including strict application control, network segmentation, and comprehensive monitoring to detect and respond to such persistent threats.
