Search

IBM Uncovers ‘Slopoly,’ Likely AI-Generated Malware Used in Hive0163 Ransomware Attack

Cyber threats and incidents
By John Kevin Hao

Related

Cyber threats and incidents

IBM and AT&T Accused of Covering Up Foreign Hacks

What happened IBM and AT&T were accused in a whistleblower...
Read more
Cyber threats and incidents

Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service Platform Tied to Ransomware Gangs

What happened Microsoft unsealed a legal case in US District...
Read more
Cyber threats and incidents

TrickMo Android Banker Adopts TON Blockchain for Covert Command-and-Control

What happened ThreatFabric has identified a new variant of the...
Read more
Cyber threats and incidents

JDownloader Website Hacked to Replace Installers With Python RAT Malware

What happened The official JDownloader website was compromised between May...
Read more
Cyber threats and incidents

Attackers Abuse Google Ads and Claude.ai Shared Chats to Push Mac Malware

What happened An active malvertising campaign is abusing Google sponsored...
Read more

Share

What happened

IBM X-Force uncovered a likely AI-generated malware strain called Slopoly during a ransomware incident involving the financially motivated threat group Hive0163. The script was deployed on an already compromised Windows server and functioned as the client component of a custom command-and-control framework, with persistence established through a scheduled task named Runtime Broker. IBM said the malware’s structure showed likely signs of AI-assisted development, including extensive comments, consistent error handling, clearly named variables, and an unused “Jitter” function. The broader intrusion began with a ClickFix social-engineering attack and progressed through tools including NodeSnake, InterlockRAT, AzCopy, and Advanced IP Scanner, with Slopoly used later in the attack chain to maintain access to the infected server. 

Who is affected

Organizations hit by Hive0163 ransomware activity are affected, particularly Windows environments where attackers can gain initial access through social engineering and maintain persistence with custom malware. 

Why CISOs should care

The discovery shows how threat actors can use likely AI-generated malware to speed up development of custom tools for persistence and command-and-control, while blending those tools into broader ransomware operations. 

3 practical actions

  1. Watch for ClickFix-style initial access attempts. Monitor for fake verification pages and suspicious PowerShell execution triggered by user interaction. 
  2. Hunt for Hive0163 indicators of compromise. Review systems for artifacts tied to Slopoly, NodeSnake, InterlockRAT, and the reported C2 infrastructure. 
  3. Prioritize behavior-based detection. IBM X-Force advised defenders to move beyond signature-based tools because AI-generated malware may not match known patterns. 

For more coverage of malicious code, infostealers, loaders, and ransomware tooling, explore our reporting under the Malware tag.

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

Previous article
Apple Pushes Background Security Improvements Update to Fix WebKit Flaw
Next article
CISOs to Watch in North Carolina’s Healthcare Industry

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.