Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks
Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks
https://thehackernews.com/2026/03/hive0163-uses-ai-assisted-slopoly.html
Publish Date: 2026-03-12 13:02:00
Source Domain: thehackernews.com
Cybersecurity researchers have disclosed details of a suspected artificial intelligence (AI)-generated malware codenamed Slopoly put to use by a financially motivated threat actor named Hive0163.
“Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take,” IBM X-Force researcher Golo Mühr said in a report shared with The Hacker News.
Hive0163’s operations are driven by extortion through large-scale data exfiltration and ransomware. The e-crime group is primarily associated with a wide range of malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware.
In one ransomware attack observed by the company in early 2026, the threat actor was observed deploying Slopoly during the post-exploitation phase so as to maintain persistent access to the compromised server for more than a week.
Slopoly’s discovery can be traced back to a PowerShell script that’s likely deployed into the “C:ProgramDataMicrosoftWindowsRuntime” folder by means of a builder. Persistence is achieved by setting up a scheduled task called “Runtime Broker.”
There are signs that the malware was developed with the help of an as-yet-undetermined large language model (LLM). This includes the presence of extensive comments, logging, error handling, and accurately named variables. The comments also describe the script as a “Polymorphic C2 Persistence Client,” indicating that it’s part of a command-and-control (C2) framework.
“However, the script does not possess any advanced techniques and can hardly be considered polymorphic, since it’s unable to modify its own code during execution,” Mühr noted. “The builder may, however, generate new clients with different randomized configuration values and function names, which is standard practice among malware…
