• Home
  • cyber
  • Hive0163 Victims: IBM Discovers ‘Slopoly’ AI-Generated Malware Linked to Hive0163 Ransomware
cyber Ransomware

Hive0163 Victims: IBM Discovers ‘Slopoly’ AI-Generated Malware Linked to Hive0163 Ransomware

Jan 1, 2026 2 min read
Hive0163 Victims: IBM Discovers ‘Slopoly’ AI-Generated Malware Linked to Hive0163 Ransomware

Hive0163 Ransomware Group Tests AI-Generated Malware in Active Attack

The financially motivated ransomware group Hive0163 has incorporated an AI-generated malware framework, Slopoly, into its operations, signaling a shift toward AI-assisted attack tooling. The group, linked to major global ransomware incidents involving Interlock ransomware, has previously relied on tools like NodeSnake, InterlockRAT, and JunkFiction loader for persistence and lateral movement.

In early 2026, IBM X-Force investigated an attack where Hive0163 deployed multiple backdoors before introducing Slopoly late in the intrusion, suggesting live testing of the AI-generated framework. The attack began with a ClickFix social engineering campaign, tricking victims into executing a malicious PowerShell command. The script, disguised as a legitimate Windows component, persisted via a scheduled task and maintained access for over a week.

Slopoly, a PowerShell-based command-and-control (C2) client, exhibited traits of LLM-generated code verbose logging, structured error handling, and descriptive variable names despite lacking true polymorphic behavior. It functioned as a basic backdoor, sending JSON "heartbeat" beacons to its C2 server and executing commands via cmd.exe. The initial compromise deployed NodeSnake, a NodeJS-based first-stage C2 client, which later delivered InterlockRAT, a more advanced backdoor with WebSocket and SOCKS5 tunneling capabilities.

The final payload, Interlock ransomware, was delivered via the JunkFiction loader and encrypted files using AES-GCM with RSA-protected session keys. The ransomware skipped system-critical directories, appended a custom extension, and left ransom notes in affected folders. Attackers also used AzCopy for data exfiltration and Advanced IP Scanner for network reconnaissance before triggering encryption.

While Slopoly itself is not highly sophisticated, its likely AI origin demonstrates how threat actors can rapidly generate functional malware using LLMs. This aligns with broader industry observations, including Palo Alto Networks’ Unit 42, which notes that AI is accelerating attack timelines and lowering the barrier to entry for cybercriminals. IBM X-Force assessed that even less advanced LLMs can produce operational malware, complicating detection and attribution as AI-generated threats become more prevalent.

Source: https://gbhackers.com/ai-generated-malware/

The Hacker News cybersecurity rating report: https://www.rankiteo.com/company/thehackernews

"id": "THE1773656627",
"linkid": "thehackernews",
"type": "Ransomware",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'attack_vector': 'ClickFix social engineering (malicious PowerShell '
                  'execution)',
 'data_breach': {'data_encryption': 'AES-GCM with RSA-protected session keys',
                 'data_exfiltration': True},
 'date_detected': '2026',
 'description': 'The financially motivated ransomware group Hive0163 has '
                'incorporated an AI-generated malware framework, Slopoly, into '
                'its operations, signaling a shift toward AI-assisted attack '
                'tooling. The attack involved multiple backdoors, including '
                'NodeSnake and InterlockRAT, before deploying Slopoly for live '
                'testing. The ransomware encrypted files using AES-GCM and '
                'exfiltrated data via AzCopy.',
 'impact': {'data_compromised': True},
 'initial_access_broker': {'backdoors_established': ['NodeSnake',
                                                     'InterlockRAT',
                                                     'Slopoly'],
                           'entry_point': 'ClickFix social engineering '
                                          '(malicious PowerShell execution)'},
 'lessons_learned': 'AI-generated malware like Slopoly demonstrates how threat '
                    'actors can rapidly generate functional malware using '
                    'LLMs, complicating detection and attribution.',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'root_causes': 'AI-generated malware (Slopoly) and '
                                           'social engineering (ClickFix) '
                                           'leading to initial access and '
                                           'persistence.'},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': 'Interlock ransomware'},
 'references': [{'source': 'IBM X-Force'},
                {'source': 'Palo Alto Networks’ Unit 42'}],
 'response': {'third_party_assistance': 'IBM X-Force'},
 'threat_actor': 'Hive0163',
 'title': 'Hive0163 Ransomware Group Tests AI-Generated Malware in Active '
          'Attack',
 'type': 'Ransomware'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.