Researchers identified a suspected case of AI-generated malware called Slopoly used by the financially motivated group Hive0163 during a 2026 ransomware intrusion. Slopoly acted as a PowerShell-based C2 persistence client deployed late in the attack chain alongside NodeSnake, InterlockRAT and Interlock ransomware, indicating threat actors are experimenting with LLM-assisted malware generation. #Slopoly #Hive0163
Keypoints
- Researchers linked the suspected AI-generated Slopoly framework to the financially motivated group Hive0163 during a ransomware investigation.
- Slopoly was a PowerShell-based C2 persistence client that beacons JSON data to /api/commands and executes received instructions via cmd.exe.
- The malware was deployed by a builder into C:ProgramDataMicrosoftWindowsRuntime and maintained persistence with a scheduled task named βRuntime Brokerβ.
- Initial access employed ClickFix social engineering to run PowerShell, which installed NodeSnake and later InterlockRAT before Interlock ransomware was deployed via the JunkFiction loader.
- Code characteristics like extensive comments, clear logging, a leftover βJitterβ function, and well-named variables pointed to LLM-assisted generation, though Slopoly did not perform true polymorphic self-modification.
Read More: https://thecyberexpress.com/slopoly-ai-generated-malware/