IBM Uncovers ‘Slopoly,’ Likely AI-Generated Malware Used in Hive0163 Ransomware Attack

In early 2026, IBM X-Force found a troubling new strain of malware that they think was made by AI. They called it "Slopoly" and it was used in a ransomware attack by the financially motivated threat group Hive0163. The group is mostly interested in stealing a lot of data and using ransomware to do so.

They do this by using a growing number of custom-built tools to stay in targeted networks. This discovery shows a big change in how cybercriminals are starting to use AI to make attack tools faster and cheaper than they used to be. Hive0163 is a well-known group of hackers who have been behind a number of high-profile global ransomware attacks, all of which used the Interlock ransomware variant.

Their toolkit includes private crypters and backdoor malware like NodeSnake, InterlockRAT, and the JunkFiction loader. Each of these is designed to help the group get long-term access to compromised environments. IBM X-Force says that people who want to protect themselves from ClickFix attacks should do things like turn off the Win+R shortcut or keep an eye on the RunMRU registry key for strange entries.

Defenders should also look for Hive0163-related signs of compromise in their environments. These include the Slopoly C2 domain plurfestivalgalaxy[. ]com (no longer active), its IP address 94.156.181[. ]89, and other C2 IPs: 77.42.75[.

]119, 23.227.203[. ]123, and 172.86.68[.]64. Follow ZeroOwl on LinkedIn and X to get more updates right away.