Researchers have identified a suspected case of AI-generated malware being used during a ransomware attack.
The malware, which analysts dubbed “Slopoly,” was linked to a financially motivated cybercrime group tracked as Hive0163. The appearance of Slopoly in an active ransomware intrusion suggests that cybercriminal groups are beginning to experiment with AI-generated malware as part of their operational toolkit.
Hive0163 and the Experimentation with AI-generated Malware
Hive0163 is a cluster of financially motivated threat actors known for conducting ransomware campaigns that focus on large-scale data theft and extortion. The group has been associated with several global ransomware incidents involving Interlock ransomware, as well as a range of custom backdoors and loaders such as NodeSnake, InterlockRAT, and the JunkFiction loader.
During a ransomware investigation in early 2026, IBM X-Force analysts discovered that Hive0163 deployed Slopoly, a suspected AI-generated malware framework designed to maintain persistent access to a compromised server. According to the investigation, the attackers retained access to the infected machine for more than a week using the malware.
Notably, Slopoly was deployed during the later stages of the attack, suggesting the operators may have been testing the AI-generated framework in a real-world scenario. Researchers described the situation as resembling a “live-fire exercise,” where the threat actors experimented with the new tool during an active operation.
The naming conventions of variables within the script indicated that the system generating the code was explicitly instructed to produce malicious functionality. This suggests that any safety guardrails implemented in the underlying AI model were successfully bypassed. However, researchers were unable to determine which specific model generated Slopoly, although the overall quality suggested it was likely produced by a relatively less advanced system.
Slopoly is a Suspected LLM-generated C2 Tool
The Slopoly malware was discovered as a PowerShell script on an infected server. Analysis revealed that the script functioned as the client component of a command-and-control (C2) framework used by Hive0163.
Investigators believe the malware was generated through a builder tool that automatically inserted configuration data such as a session ID, mutex name, C2 server address, and beacon intervals. The builder reportedly deployed Slopoly into the directory C:\ProgramData\Microsoft\Windows\Runtime\ and established persistence by creating a scheduled task named “Runtime Broker.”
Several characteristics strongly suggested that Slopoly was produced using a large language model. The script contained extensive comments, structured logging functions, clear error handling routines, and well-named variables, features commonly seen in AI-generated malware and AI-assisted programming.
Another clue pointing to AI-assisted development was the presence of an unused “Jitter” function within the code. Researchers believe this may have been left over from iterative development with an LLM.
Interestingly, the script’s internal comments describe it as a “Polymorphic C2 Persistence Client.” In practice, however, the malware does not exhibit true polymorphic behavior. It cannot modify its own code during execution. Instead, the builder likely generates new variants of the malware with randomized configuration values and function names, a common technique used by malware builders.
How Slopoly Operates on Infected Systems
Despite its limited technicalities, Slopoly operates as a functional backdoor. After execution, it collects basic system information from the infected machine and sends it to a remote command-and-control server.
The data is transmitted in JSON format using an HTTP POST request to the /api/commands endpoint. A typical beacon includes information such as the public IP address of the infected system, the user account name, the computer name, and whether the process is running with elevated privileges.
The malware sends a heartbeat message every 30 seconds and checks for new commands roughly every 50 seconds. Any instructions received from the C2 server are executed using cmd.exe, and the results are returned to the server.
The malware also maintains a detailed log file named persistence.log, which records activity and rotates once it reaches a size of 1 MB.
Initial Infection Through ClickFix
The attack investigated by the researchers began with a social engineering technique known as ClickFix. This method tricks victims into executing malicious PowerShell commands themselves.
Victims are typically shown a CAPTCHA-style verification page that secretly copies a malicious script into the clipboard. The page then instructs users to press a sequence of keyboard commands—“Win+R” to open the Windows Run dialog, followed by “Ctrl+V” to paste the script and “Enter” to execute it.
Once executed, the PowerShell payload installs NodeSnake, a NodeJS-based malware that serves as the first stage of a larger command-and-control framework used by Hive0163.
NodeSnake supports multiple commands, including downloading and executing payloads, running shell commands, establishing persistence, updating itself, or terminating its own process.
In the observed attack, NodeSnake eventually deployed a more advanced JavaScript-based backdoor known as InterlockRAT, which supports WebSocket communications, reverse shell access, and SOCKS5 tunneling capabilities.
Ransomware Deployment and Encryption
The final stage of the intrusion involved the deployment of Interlock ransomware, packaged using the JunkFiction loader. Once executed, the ransomware scans logical drives and encrypts targeted files across the system.
Interlock uses a combination of AES-GCM encryption and RSA cryptography through the OpenSSL library (version 3.5.0). Each encrypted file receives a unique session key, which is then protected using an attacker-controlled RSA public key.
Encrypted files are typically renamed with extensions such as . !NT3RLOCK or .int3R1Ock. After completing the encryption process, the ransomware drops a ransom note, often named FIRST_READ_ME.txt, containing instructions for victims to contact the attackers.
