New AI-Generated Malware "Slopoly" Used in Interlock Ransomware Attacks
A recently discovered malware strain, Slopoly, has been linked to a financially motivated threat group tracked as Hive0163, which deployed it in an Interlock ransomware attack. The backdoor, likely generated using generative AI tools, allowed attackers to maintain persistence on a compromised server for over a week while exfiltrating data.
The attack began with a ClickFix social engineering tactic, followed by the deployment of Slopoly a PowerShell-based C2 (command-and-control) client. IBM X-Force researchers identified strong indicators of AI-assisted development, including unusually structured code, detailed comments, and well-organized error handling features uncommon in traditional malware. While the exact LLM used remains unclear, the script’s design suggests automation in its creation.
Despite its name, Slopoly lacks true polymorphic capabilities, meaning it cannot modify its own code during execution. However, its builder can generate new variants with randomized configurations, such as beaconing intervals and C2 addresses. The malware operates from *C:\ProgramData\Microsoft\Windows\Runtime* and performs the following functions:
- Collects system information
- Sends heartbeat beacons every 30 seconds
- Polls for commands every 50 seconds
- Executes commands via cmd.exe and returns output
- Maintains persistence via a scheduled task (Runtime Broker)
Slopoly supports commands for downloading and executing payloads (EXE, DLL, JavaScript), adjusting beacon intervals, self-updating, or terminating its process.
The attack chain also included NodeSnake and InterlockRAT backdoors. Interlock ransomware, active since 2024, has targeted high-profile entities, including the Texas Tech University System, DaVita, Kettering Health, and the city of Saint Paul, Minnesota. The ransomware uses the JunkFiction loader, runs as a SYSTEM-level scheduled task, and employs Windows Restart Manager to unlock files before encryption, appending extensions like ‘. !NT3RLOCK’ or ‘.int3R1Ock’.
IBM X-Force notes potential ties between Hive0163 and other malware families, including Broomstick, SocksShell, PortStarter, SystemBC, and the Rhysida ransomware operators. The incident underscores the growing use of AI in malware development, enabling faster customization and evasion of detection.
Texas A&M AgriLife cybersecurity rating report: https://www.rankiteo.com/company/texas-a&m-agrilife
DaVita Kidney Care cybersecurity rating report: https://www.rankiteo.com/company/davita
"id": "TEXDAV1773347117",
"linkid": "texas-a&m-agrilife, davita",
"type": "Ransomware",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Education',
'location': 'Texas, USA',
'name': 'Texas Tech University System',
'type': 'Educational Institution'},
{'industry': 'Healthcare',
'name': 'DaVita',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'name': 'Kettering Health',
'type': 'Healthcare Provider'},
{'industry': 'Public Sector',
'location': 'Minnesota, USA',
'name': 'City of Saint Paul, Minnesota',
'type': 'Government'}],
'attack_vector': 'Social Engineering (ClickFix), PowerShell-based C2 Client',
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High (if personally identifiable or '
'healthcare data)',
'type_of_data_compromised': 'System information, potentially '
'sensitive data'},
'description': 'A recently discovered malware strain, Slopoly, has been '
'linked to a financially motivated threat group tracked as '
'Hive0163, which deployed it in an Interlock ransomware '
'attack. The backdoor, likely generated using generative AI '
'tools, allowed attackers to maintain persistence on a '
'compromised server for over a week while exfiltrating data. '
'The attack began with a ClickFix social engineering tactic, '
'followed by the deployment of Slopoly, a PowerShell-based C2 '
'(command-and-control) client. IBM X-Force researchers '
'identified strong indicators of AI-assisted development, '
'including unusually structured code, detailed comments, and '
'well-organized error handling features uncommon in '
'traditional malware. The attack chain also included NodeSnake '
'and InterlockRAT backdoors. Interlock ransomware, active '
'since 2024, has targeted high-profile entities and uses the '
'JunkFiction loader, runs as a SYSTEM-level scheduled task, '
'and employs Windows Restart Manager to unlock files before '
'encryption.',
'impact': {'data_compromised': 'System information, potentially sensitive '
'data',
'operational_impact': 'Data exfiltration, system encryption',
'systems_affected': 'Compromised servers'},
'initial_access_broker': {'backdoors_established': 'Slopoly, NodeSnake, '
'InterlockRAT',
'entry_point': 'ClickFix social engineering tactic'},
'lessons_learned': 'The incident underscores the growing use of AI in malware '
'development, enabling faster customization and evasion of '
'detection.',
'motivation': 'Financial Gain',
'post_incident_analysis': {'root_causes': 'AI-generated malware (Slopoly), '
'social engineering, '
'PowerShell-based C2 client'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransomware_strain': 'Interlock'},
'references': [{'source': 'IBM X-Force'}],
'response': {'third_party_assistance': 'IBM X-Force'},
'threat_actor': 'Hive0163',
'title': "New AI-Generated Malware 'Slopoly' Used in Interlock Ransomware "
'Attacks',
'type': 'Ransomware Attack'}