Sloppy but Swift: How Hive0163’s AI-Generated “Slopoly” Malware is Reshaping Ransomware

According to a report promulgated by IBM, ransomware syndicates have commenced experimenting with artificial intelligence. Specialists have unearthed an idiosyncratic malware strain christened Slopoly; forensic scrutiny of its codebase strongly suggests that the script was orchestrated by a large language model. While the program’s architectural complexity remains modest, it underscores a burgeoning predicament: the fabrication of malignant instruments has become markedly swifter and more accessible.

Slopoly was identified in early 2026 during the investigation of a ransomware incursion spearheaded by the collective known as Hive0163. This group possesses a storied history of extortion and data exfiltration, renowned for utilizing the Interlock ransomware alongside a bespoke arsenal including NodeSnake, InterlockRAT, and the JunkFiction loader.

Slopoly manifested as a PowerShell script, functioning as a client for a command-and-control (C2) architecture. The code harvested foundational systemic telemetry and disseminated a “beacon” to the adversaries’ server every 30 seconds. At 50-second intervals, the program queried for nascent instructions, which were subsequently executed via cmd.exe before transmitting the results back to the source.

The codebase exhibited hallmarks characteristic of linguistic model generation: an abundance of comments, meticulous error handling, and fastidious variable nomenclature. One such annotation described the program as a “Polymorphic C2 Persistence Client,” despite the code lacking any authentic polymorphic mechanisms. The script is incapable of mutating its own logic during execution; rather, it appears the generator merely synthesized discrete versions of the client with randomized parameters and function monikers.

Despite its rudimentary technical echelon, Slopoly empowered Hive0163 to maintain systemic dominion for over a week. The specific commands executed during this period remain shrouded in mystery; however, the deployment of such an instrument vividly illustrates the criminal underworld’s growing affinity for AI-generated code.

The incursion originated through a social engineering stratagem known as ClickFix. The victim was presented with a deceptive “verification” page mimicking a CAPTCHA, which surreptitiously injected a malignant script into the system clipboard. The user was then coerced into executing a sequence of keystrokes—Win+R, Ctrl+V, and Enter—effectively triggering the PowerShell command manually.

The primary stage of infection involved NodeSnake, a Node.js-based component of the C2 infrastructure. NodeSnake facilitates the retrieval of auxiliary files, shell command execution, and the establishment of persistence. Subsequently, the adversaries deployed InterlockRAT, a more formidable backdoor supporting reverse shells and SOCKS5 tunneling for clandestine network access.

Through these instruments, Hive0163 orchestrated the deployment of Slopoly alongside utilities like AzCopy and Advanced IP Scanner, culminating in the activation of the Interlock ransomware. The encrypter traverses logical drives, bypassing systemic directories to shroud files in AES and RSA ciphers via the OpenSSL library. Encrypted files are appended with extensions such as .!NT3RLOCK or .int3R1Ock, accompanied by a ransom demand titled FIRST_READ_ME.txt.

IBM posits that Hive0163 specializes in post-exploitation maneuvers, leveraging proprietary backdoors for protracted presence and mass data exfiltration. While Slopoly remains technically simplistic, its emergence signals a transformative epoch in cybercrime, where artificial intelligence dramatically contracts the development lifecycle. The industry is now confronting a nascent reality: the era of AI-generated scripts is merely a precursor to an age where malignant entities utilize AI for real-time decision-making and the autonomous testing of offensive infrastructures.