Cybersecurity researchers have identified a financially motivated threat group, Hive0163, deploying a novel AI-assisted malware known as Slopoly to maintain prolonged access during ransomware campaigns. The malware functions as a PowerShell-based backdoor and is typically introduced during the post-exploitation stage of an attack. Once deployed, it communicates with a command-and-control (C2) server to receive instructions and execute commands on compromised systems while maintaining persistence through scheduled tasks. The attack chain frequently begins with social engineering techniques such as ClickFix, which tricks users into executing malicious PowerShell commands that deliver initial-stage malware including NodeSnake. Additional tools such as Interlock RAT and ransomware payloads may then be deployed during later stages of the intrusion. Evidence suggests that Slopoly was partially generated using large language models (LLMs), highlighting a growing trend in which threat actors leverage artificial intelligence to accelerate malware development and scale ransomware operations.
Slopoly is a PowerShell-based backdoor associated with the financially motivated threat actor Hive0163 and is used to maintain persistence and remote access on compromised systems during ransomware attacks. The malware is commonly installed in the directory C:\ProgramData\Microsoft\Windows\Runtime\ and establishes persistence through a scheduled task named “Runtime Broker.”
Once active, the malware functions as a command-and-control client that periodically communicates with a remote server. It sends system heartbeat information approximately every 30 seconds and polls the C2 server roughly every 50 seconds for new commands. Commands received from the attacker are executed through cmd.exe, and the results are returned to the command server.
Initial compromise typically occurs through ClickFix social engineering techniques that trick victims into executing malicious PowerShell commands. These commands install first-stage malware such as NodeSnake, which facilitates additional payload delivery including Interlock RAT and other post-exploitation tools. Structured comments, descriptive variable naming conventions, and organized script formatting suggest that portions of the malware code were generated using large language models (LLMs), illustrating how artificial intelligence can accelerate malware development and operational deployment. The details and technicalities of the attack campaign are discussed further,
The attack chain associated with the AI-assisted malware Slopoly typically begins with social engineering campaigns designed to trick victims into executing malicious PowerShell commands. One commonly observed technique is ClickFix, which prompts users to manually execute commands that download malware components. These commands install NodeSnake, a first-stage malware loader that establishes an initial foothold within the compromised environment.
In addition to social engineering methods, threat actor Hive0163 is known to leverage malvertising campaigns and access obtained through initial access brokers such as TA569 (SocGholish) and TAG-124 (KongTuke). These methods allow attackers to gain access to targeted enterprise networks before deploying additional malware components.
The Infection chain was identified as follows,
• The attack begins with social engineering techniques such as ClickFix or malvertising campaigns that trick victims into executing malicious PowerShell commands.
• The executed command downloads and runs the first-stage loader NodeSnake, which establishes initial access and enables execution of additional shell commands on the compromised system.
• NodeSnake retrieves and deploys Interlock RAT, providing attackers with remote access capabilities and operational control over the infected machine.
• During the post-exploitation stage, the threat actor Hive0163 deploys the Slopoly PowerShell backdoor to maintain persistence within the compromised environment.
• Slopoly communicates with a command-and-control server, periodically sending system information, receiving commands, executing them via cmd.exe, and enabling further malicious activities, including data exfiltration or ransomware deployment.
Slopoly functions as a PowerShell-based backdoor designed to maintain persistent access to compromised systems. The malware is typically installed within the C:\ProgramData\Microsoft\Windows\Runtime\ directory and creates a scheduled task named “Runtime Broker” to ensure persistence even after system reboots.
After execution, the malware establishes a connection with its command-and-control server and sends periodic heartbeat messages approximately every 30 seconds containing system information that allows attackers to monitor the infected host. The malware also polls the C2 server roughly every 50 seconds for new commands.
When instructions are received from the command server, Slopoly executes them using cmd.exe and sends the output back to the attacker, enabling full remote command execution capabilities. The malware is produced using a builder framework capable of generating multiple variants with randomized configuration values and function names, helping it evade detection mechanisms even though it does not rely on advanced polymorphic techniques.
The structured comments, logging mechanisms, and organized code structure indicate that portions of the script were likely generated using large language models (LLMs). This demonstrates how artificial intelligence tools can significantly reduce the time required to create functional malware frameworks and scale malicious operations.
The malicious activity has been attributed to the financially motivated cybercriminal group Hive0163, which is known for conducting ransomware and data extortion campaigns. The group’s malware toolkit includes NodeSnake, Interlock RAT, and Interlock ransomware, which are used together to gain initial access, maintain control over compromised systems, and deploy ransomware payloads. The emergence of Slopoly represents an evolution in the group’s operational capabilities. The apparent use of large language models in malware development demonstrates how threat actors are beginning to leverage artificial intelligence to accelerate malware creation, reduce development complexity, and expand the scale of ransomware operations.
Current observations suggest that the campaign forms part of Hive0163’s broader ransomware operations targeting enterprise environments. The group typically relies on opportunistic initial access vectors such as compromised websites, malvertising campaigns, and access obtained through initial access brokers.
Although specific geographic targeting has not been definitively confirmed, these types of campaigns often affect organizations across multiple regions due to the widespread nature of phishing, malvertising, and automated exploitation techniques used during initial compromise stages.
The emergence of Slopoly demonstrates the growing use of artificial intelligence within cybercriminal operations. While the malware itself does not employ particularly sophisticated techniques, AI-assisted development significantly lowers the barrier for threat actors to create functional malware capable of maintaining persistence and remote access.
Organizations should strengthen detection capabilities for PowerShell-based attacks, monitor for suspicious scheduled tasks and command-and-control communications, and implement strong user awareness programs to reduce the risk of social engineering-based compromise.
Successful deployment of this malware framework may allow attackers to maintain persistent unauthorized access within enterprise environments. This access can facilitate data theft, lateral movement across networks, and deployment of additional malicious payloads including ransomware.
Compromised systems may also be used as staging points for further attacks or as proxy infrastructure for other malicious operations. The persistence capabilities of Slopoly enable attackers to maintain long-term access, increasing the risk of significant operational disruption and large-scale data compromise.
• Implement robust email and web filtering mechanisms to detect and block phishing attempts, malvertising campaigns, and social engineering techniques such as ClickFix.
• Restrict and closely monitor the use of PowerShell by enabling advanced logging features such as PowerShell Script Block Logging and Module Logging.
• Continuously monitor systems for unauthorized scheduled tasks, particularly suspicious entries such as “Runtime Broker,” which may indicate persistence mechanisms used by malware.
• Deploy Endpoint Detection and Response solutions capable of detecting abnormal command execution, backdoor activity, and command-and-control communication.
• Monitor outbound network traffic for unusual beaconing behavior or repeated connections to unknown command-and-control servers.
• Apply the principle of least privilege to limit user permissions and prevent attackers from executing administrative commands or deploying additional malware.
• Maintain regular patching of operating systems and applications to reduce potential attack surfaces and vulnerabilities.
• Conduct periodic cybersecurity awareness training to educate employees on identifying phishing attempts, malicious scripts, and suspicious command execution prompts.
https://www.ibm.com/think/x-force/slopoly-start-ai-enhanced-ransomware-attacks
