Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks

Cybersecurity researchers have uncovered a new AI-assisted malware campaign that demonstrates how threat actors are leveraging artificial intelligence to accelerate their operations. The malware, dubbed Slopoly, was developed by a financially motivated threat actor known as Hive0163 and represents a concerning evolution in ransomware tactics.

The Rise of AI-Generated Malware

The discovery of Slopoly highlights a growing trend in cybercrime: the weaponization of AI for malware development. According to IBM X-Force researcher Golo Mühr, "AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take."

While still considered "relatively unspectacular" from a technical standpoint, Slopoly demonstrates how AI is lowering the barrier to entry for sophisticated malware development. The malware exhibits clear signs of AI assistance, including extensive comments, comprehensive logging, robust error handling, and accurately named variables throughout the code.

Hive0163's Extortion Operations

Hive0163 operates as a financially motivated e-crime group that drives its operations through extortion via large-scale data exfiltration and ransomware deployment. The group has established a reputation for using a diverse arsenal of malicious tools, including:

• NodeSnake - A first-stage malware component
• Interlock RAT - A remote access trojan framework
• JunkFiction loader - A malware delivery mechanism
• Interlock ransomware - The group's primary extortion tool

Slopoly's Technical Architecture

Slopoly functions as a full-fledged backdoor that maintains persistent access to compromised systems. The malware was discovered embedded within a PowerShell script that's likely deployed through a builder tool, which also establishes persistence via a scheduled task named "Runtime Broker."

Despite being labeled as a "Polymorphic C2 Persistence Client" in the code comments, Slopoly doesn't actually possess advanced polymorphic capabilities. As Mühr noted, "The script does not possess any advanced techniques and can hardly be considered polymorphic, since it's unable to modify its own code during execution."

However, the builder tool may generate new clients with different randomized configuration values and function names - a standard practice among modern malware builders that provides some level of evasion.

Operational Capabilities

Once deployed, Slopoly operates as a persistent backdoor with the following capabilities:

• Heartbeat Communication: Sends system information to a command-and-control (C2) server every 30 seconds
• Command Polling: Checks for new commands every 50 seconds
• Command Execution: Executes received commands via "cmd.exe"
• Result Reporting: Relays command execution results back to the C2 server

The exact nature of commands executed on compromised networks remains unknown, but the malware's architecture suggests it's designed for long-term surveillance and data exfiltration.

Attack Chain and Initial Access

The ransomware attack that revealed Slopoly's deployment followed a sophisticated multi-stage approach. Hive0163 leveraged the ClickFix social engineering tactic to trick victims into running malicious PowerShell commands. This initial compromise led to the download of NodeSnake, which then established persistence and retrieved the broader Interlock RAT framework.

Hive0163 employs multiple initial access methods:

• ClickFix social engineering - Tricking users into executing malicious commands
• Malvertising - Using malicious advertisements to distribute malware
• Initial access brokers - Purchasing access from groups like TA569 (SocGholish) and TAG-124 (KongTuke, LandUpdate808)

Cross-Platform Framework

The Interlock framework, which includes Slopoly, has multiple implementations across different programming languages to support both Windows and Linux environments:

• PowerShell
• PHP
• C/C++
• Java
• JavaScript

This cross-platform compatibility allows Hive0163 to target a wide range of systems and maintain operational flexibility.

Implications for Cybersecurity

IBM X-Force emphasizes that while AI-generated malware like Slopoly doesn't introduce fundamentally new technical threats, it significantly accelerates the threat landscape. "The introduction of AI-generated malware does not pose a new or sophisticated threat from a technical standpoint," the researchers stated. "It disproportionately enables threat actors by reducing the time an operator needs to develop and execute an attack."

This development adds Slopoly to a growing list of AI-assisted malware, which includes other notable examples like VoidLink and PromptSpy. The trend suggests that AI will continue to democratize access to sophisticated malware development, potentially increasing both the volume and variety of threats organizations face.

Protection and Detection

Organizations should be aware of the following indicators related to Hive0163's operations:

• Scheduled tasks named "Runtime Broker" (though legitimate Windows processes exist with this name)
• PowerShell scripts with extensive comments and logging
• Communication patterns involving 30-second heartbeat intervals
• 50-second command polling intervals

As AI-assisted malware becomes more prevalent, defenders will need to adapt their detection strategies to identify the unique characteristics of AI-generated code, such as consistent commenting patterns and systematic error handling that may differ from human-written malware.

The emergence of Slopoly serves as a wake-up call for the cybersecurity community, demonstrating that the barrier to entry for sophisticated malware development continues to lower, while the pace of innovation in cybercrime accelerates.