City of Saint Paul, Minnesota and Texas Tech University System: AI-built Slopoly malware used in ransomware attacks

New AI-Assisted Malware "Slopoly" Linked to Hive0163 Ransomware Campaigns

A recently identified malware strain, Slopoly, is being deployed in ransomware attacks tied to the financially motivated threat group Hive0163. Security researchers at IBM X-Force report that the backdoor shows signs of generative AI-assisted development, marking an emerging trend in cybercriminal tooling.

The malware was used in an Interlock ransomware attack where attackers lingered on a compromised server for over a week, exfiltrating sensitive data. The intrusion began with a ClickFix social-engineering tactic, followed by the installation of Slopoly as a PowerShell script communicating with a command-and-control (C2) server.

While Slopoly’s code includes unusually polished features such as detailed comments, structured logging, and robust error handling researchers could not confirm which large language model (LLM) was used in its creation. Despite its self-described "polymorphic" label, the malware lacks true polymorphic capabilities, instead relying on a builder tool to randomize configuration values like beaconing intervals and C2 addresses.

Once deployed in *C:\ProgramData\Microsoft\Windows\Runtime*, Slopoly performs several functions:

• Collects system information
• Sends heartbeat signals to the C2 server every 30 seconds
• Polls for commands every 50 seconds
• Executes commands via cmd.exe and relays results
• Maintains persistence via a scheduled task named "Runtime Broker"

The malware supports commands for downloading and executing payloads (EXE, DLL, JavaScript), running shell commands, adjusting beaconing intervals, updating itself, or terminating its process.

In the same campaign, attackers also deployed NodeSnake and InterlockRAT backdoors before delivering the Interlock ransomware via the JunkFiction loader. First observed in 2024, the Interlock ransomware operation is known for ClickFix and FileFix social-engineering techniques and has previously targeted organizations like Texas Tech University System, DaVita, Kettering Health, and the city of Saint Paul, Minnesota.

IBM researchers also noted possible connections between Hive0163 and developers linked to other malware families, including Broomstick, SocksShell, PortStarter, SystemBC, and Rhysida ransomware, suggesting overlapping tools or collaboration within the cybercrime ecosystem.

Source: https://cybersafe.news/ai-built-slopoly-malware-used-in-ransomware-attacks/

Saint-Gobain cybersecurity rating report: https://www.rankiteo.com/company/saint-gobain

Texas Association of Business cybersecurity rating report: https://www.rankiteo.com/company/texas-association-of-business

"id": "SAITEX1773412315",
"linkid": "saint-gobain, texas-association-of-business",
"type": "Ransomware",
"date": "1/2024",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"

{'affected_entities': [{'industry': 'education',
                        'name': 'Texas Tech University System',
                        'type': 'educational institution'},
                       {'industry': 'healthcare',
                        'name': 'DaVita',
                        'type': 'healthcare provider'},
                       {'industry': 'healthcare',
                        'name': 'Kettering Health',
                        'type': 'healthcare provider'},
                       {'industry': 'public sector',
                        'location': 'Saint Paul, Minnesota',
                        'name': 'City of Saint Paul, Minnesota',
                        'type': 'government'}],
 'attack_vector': 'ClickFix social-engineering tactic',
 'data_breach': {'data_exfiltration': True,
                 'type_of_data_compromised': 'sensitive data'},
 'description': 'A recently identified malware strain, *Slopoly*, is being '
                'deployed in ransomware attacks tied to the financially '
                'motivated threat group Hive0163. The backdoor shows signs of '
                'generative AI-assisted development. The malware was used in '
                'an Interlock ransomware attack where attackers lingered on a '
                'compromised server for over a week, exfiltrating sensitive '
                'data. The intrusion began with a ClickFix social-engineering '
                'tactic, followed by the installation of *Slopoly* as a '
                'PowerShell script communicating with a command-and-control '
                '(C2) server.',
 'impact': {'data_compromised': 'sensitive data exfiltrated'},
 'initial_access_broker': {'backdoors_established': ['Slopoly',
                                                     'NodeSnake',
                                                     'InterlockRAT'],
                           'entry_point': 'ClickFix social-engineering tactic',
                           'reconnaissance_period': 'over a week'},
 'motivation': 'financial',
 'post_incident_analysis': {'root_causes': 'ClickFix social-engineering '
                                           'tactic, AI-assisted malware '
                                           'development'},
 'ransomware': {'data_exfiltration': True, 'ransomware_strain': 'Interlock'},
 'references': [{'source': 'IBM X-Force'}],
 'response': {'third_party_assistance': 'IBM X-Force'},
 'threat_actor': 'Hive0163',
 'title': "New AI-Assisted Malware 'Slopoly' Linked to Hive0163 Ransomware "
          'Campaigns',
 'type': ['ransomware', 'malware']}