Full Report
Researchers from IBM X-Force have uncovered a new AI-generated malware, dubbed “Slopoly.” During a ransomware engagement, X-Force discovered a PowerShell script deployed on an infected server. The script appears to be the client component of a novel C2 framework we named “Slopoly.” It was likely generated by a builder, inserting a timestamp and static configuration values such as a session ID, mutex name, C2 URL and beacon intervals. Although not recovered during the investigation, the builder deployed Slopoly into “C:\ProgramData\Microsoft\Windows\Runtime\” and established persistence via a scheduled task called “Runtime Broker.”
Analysis Summary
# Tool/Technique: Slopoly
## Overview
Slopoly is a novel, likely AI-generated Command and Control (C2) framework and backdoor. Discovered by IBM X-Force in early 2026, it is used by the financially motivated threat group Hive0163. The malware is characterized by its use of PowerShell for the client component and exhibits hallmarks of Large Language Model (LLM) generation, such as extensive commenting and structured error handling.
## Technical Details
- **Type:** Malware (Backdoor / C2 Framework)
- **Platform:** Windows (PowerShell-based)
- **Capabilities:** System information gathering, persistence, command execution (via cmd.exe), and detailed logging.
- **First Seen:** Early 2026
## MITRE ATT&CK Mapping
- **[TA0003 - Persistence]**
- [T1053.005 - Scheduled Task/Job: Scheduled Task]
- **[TA0002 - Execution]**
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [T1059.003 - Command and Scripting Interpreter: Windows Command Shell]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
## Functionality
### Core Capabilities
- **Beaconing:** Sends HTTP POST "heartbeat" beacons to the C2 server every 30 seconds containing JSON data (Bot IP, elevation status, session ID, user, and bot name).
- **Command Polling:** Polls the `/api/commands` endpoint every 50 seconds for new instructions.
- **Remote Execution:** Receives commands from the C2 and executes them using `cmd.exe`, relaying the output back to the attacker.
- **Persistence:** Establishes a foothold using a scheduled task named "Runtime Broker."
- **Logging:** Maintains a local file named `persistence.log` to record malware activities.
### Advanced Features
- **AI-Generated Structure:** Includes extensive comments, logging, and error handling typical of LLM-produced code.
- **Builder-Driven Deployment:** Likely deployed via a builder that injects unique session IDs, mutex names, and C2 URLs.
- **Pseudo-Polymorphism:** While the script claims to be a "Polymorphic C2 Persistence Client" in its comments, it lacks actual self-modification features; however, the builder likely randomizes function names and variables for each deployment.
## Indicators of Compromise
- **File Names:**
- `C:\ProgramData\Microsoft\Windows\Runtime\persistence.log`
- PowerShell script located in `C:\ProgramData\Microsoft\Windows\Runtime\`
- **Scheduled Task:** `Runtime Broker`
- **Network Indicators:**
- C2 Endpoint: `hxxp[://]<C2-URL>/api/commands`
- **Behavioral Indicators:**
- Repetitive HTTP POST requests to `/api/commands` with JSON payloads.
- PowerShell spawning `cmd.exe` to execute shell commands.
## Associated Threat Actors
- **Hive0163:** A financially motivated cluster (possibly affiliated with Interlock ransomware operations) known for large-scale data exfiltration and extortion.
## Detection Methods
- **Signature-based:** Detect the specific PowerShell script patterns and the "Polymorphic C2 Persistence Client" comment string.
- **Behavioral detection:** Monitor for unauthorized scheduled tasks named "Runtime Broker" that point to PowerShell scripts in `ProgramData`.
- **Network detection:** Identify suspicious JSON-based heartbeats sent to unconventional external URLs.
## Mitigation Strategies
- **Prevention:** Implement AppLocker or Windows Defender Application Control (WDAC) to restrict PowerShell script execution.
- **Hardening:** Monitor and alert on the creation of new scheduled tasks, particularly those utilizing the "Runtime Broker" name (which is a legitimate process spoofed by the malware).
- **Auditing:** Enable PowerShell Script Block Logging (Event ID 4104) to capture the execution of the Slopoly script logic.
## Related Tools/Techniques
- **Interlock Ransomware:** Often the final payload in Hive0163 operations.
- **NodeSnake / InterlockRAT:** Other backdoors associated with the same threat actor.
- **JunkFiction:** A loader used by Hive0163.
- **AI-Enhanced Development:** Similar to recent frameworks like "VoidLink" or "PromptSpy."