A novel malware strain named Slopoly, which cybersecurity analysts strongly suspect was generated using artificial intelligence tools, enabled threat actors to maintain persistent access to a compromised server for over a week. This access was exploited to steal sensitive data as part of an Interlock ransomware attack. The intrusion chain began with a social engineering tactic known as a ClickFix ruse. In the later stages of the operation, the attackers deployed the Slopoly backdoor. This malicious tool was implemented as a PowerShell script designed to function as a client for a command-and-control (C2) framework, providing the attackers with remote control over the infected system.
Researchers from IBM X-Force who analyzed the script identified several compelling indicators that point to its creation via a Large Language Model (LLM). While the specific AI tool could not be pinpointed, the code's characteristics are highly unusual for human-developed malware. Key telltale signs include an excessive amount of explanatory comments within the code, meticulously structured logging routines, comprehensive error-handling mechanisms, and the use of clearly named, descriptive variables. Such organized and well-documented code is atypical for malicious software, which is often obfuscated and written with minimal clarity to hinder analysis.
The attack has been attributed by IBM to a financially motivated threat group tracked as Hive0163. This group's primary objective is believed to be extortion, achieved through large-scale data exfiltration followed by the deployment of ransomware. Despite the sophisticated origin suggested by its AI-assisted creation, the Slopoly malware itself is assessed as being relatively unsophisticated in its capabilities. However, its use within the ransomware operators' attack chain is a significant development. It demonstrates that threat actors are actively leveraging generative AI to accelerate the development of custom malware. This acceleration can lower the barrier to entry for cybercriminals and help create tools that may bypass traditional signature-based detection methods more easily.
Although comments within the Slopoly script describe it as a "Polymorphic C2 Persistence Client," the IBM X-Force analysis did not find any actual features that would allow the code to modify its own structure or signature to evade detection—a hallmark of true polymorphic malware. This discrepancy further supports the theory of AI generation, where the model may have been prompted to create a "polymorphic" tool but did not fully implement the complex functionality. The incident underscores a growing trend in the cyber threat landscape: the weaponization of generative AI to create functional, if sometimes flawed, malicious code, thereby increasing the speed and volume of threats that organizations must defend against.
