Cybersecurity researchers have revealed information about a suspected AI-generated malware called Slopoly that a financially motivated hacker group called Hive0163 is using This article explores ransomware slopoly. . Extortion through large-scale data theft and ransomware is what keeps Hive0163 going.

The e-crime group is mostly known for making a lot of bad tools, like NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware. The company saw a ransomware attack in early 2026 in which the attacker used Slopoly during the post-exploitation phase to keep access to the hacked server for more than a week.

A PowerShell script that was probably run by a builder led to the discovery of Slopoly. This script also made it possible for Slopoly to stay on the system through a scheduled task called "Runtime Broker." There are signs that a large language model (LLM) that has not yet been identified helped make the malware.

This includes having a lot of comments, logging, error handling, and variables with the right names. The comments also call the script a "Polymorphic C2 Persistence Client," which means that it is part of a command-and-control (C2) framework. Mühr said, "However, the script doesn't have any advanced techniques and can't really be called polymorphic because it can't change its own code while it's running."

However, "the builder may create new clients with different randomized configuration values and function names, which is standard practice among malware builders." The PowerShell script works as a full backdoor that can send a heartbeat message with system information to a C2 server every 30 seconds, check for a new command every 50 seconds, run it with "cmd.exe," and send the results back to the server. We don't know exactly what kinds of commands were run on the hacked network.

It is said that the attack used the ClickFix social engineering method to trick a victim into running a PowerShell command that downloads NodeSnake, a known piece of malware linked to Hive0163.

NodeSnake, the first stage of the malware, is made to run shell commands, stay hidden, and get and run a larger malware framework called Interlock RAT. Hive0163 has a history of using ClickFix and malvertising to get in. Another way the threat actor gets a foothold is by using initial access brokers like TA569 (also known as SocGholish) and TAG-124 (also known as KongTuke and LandUpdate808).

The framework works with both Windows and Linux and can be used in PowerShell, PHP, C/C++, Java, and JavaScript. It also connects to a remote server to get commands that let it start a SOCKS5 proxy tunnel, create a reverse shell on the infected machine, and send more payloads, like Interlock ransomware and Slopoly.

Slopoly is the latest in a long line of AI-assisted malware, along with VoidLink and PromptSpy. This shows how criminals are using the technology to speed up the creation of malware and grow their businesses. IBM X-Force said, "The introduction of AI-generated malware does not pose a new or sophisticated threat from a technical standpoint."

"It gives threat actors an unfair advantage by making it easier for them to plan and carry out an attack."