What happened
IBM X-Force uncovered a likely AI-generated malware strain called Slopoly during a ransomware incident involving the financially motivated threat group Hive0163. The script was deployed on an already compromised Windows server and functioned as the client component of a custom command-and-control framework, with persistence established through a scheduled task named Runtime Broker. IBM said the malware’s structure showed likely signs of AI-assisted development, including extensive comments, consistent error handling, clearly named variables, and an unused “Jitter” function. The broader intrusion began with a ClickFix social-engineering attack and progressed through tools including NodeSnake, InterlockRAT, AzCopy, and Advanced IP Scanner, with Slopoly used later in the attack chain to maintain access to the infected server.
Who is affected
Organizations hit by Hive0163 ransomware activity are affected, particularly Windows environments where attackers can gain initial access through social engineering and maintain persistence with custom malware.
Why CISOs should care
The discovery shows how threat actors can use likely AI-generated malware to speed up development of custom tools for persistence and command-and-control, while blending those tools into broader ransomware operations.
3 practical actions
- Watch for ClickFix-style initial access attempts. Monitor for fake verification pages and suspicious PowerShell execution triggered by user interaction.
- Hunt for Hive0163 indicators of compromise. Review systems for artifacts tied to Slopoly, NodeSnake, InterlockRAT, and the reported C2 infrastructure.
- Prioritize behavior-based detection. IBM X-Force advised defenders to move beyond signature-based tools because AI-generated malware may not match known patterns.
For more coverage of malicious code, infostealers, loaders, and ransomware tooling, explore our reporting under the Malware tag.
