Full Report
Cybersecurity researchers have disclosed details of a suspected artificial intelligence (AI)-generated malware codenamed Slopoly put to use by a financially motivated threat actor named Hive0163. "Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take
Analysis Summary
# Tool/Technique: Slopoly
## Overview
Slopoly is a suspected AI-generated malware framework used by the financially motivated threat actor Hive0163. Discovered in early 2026, it is primarily used for maintaining persistent access to compromised servers during the post-exploitation phase of ransomware attacks. While described by its developers as a "Polymorphic C2 Persistence Client," researchers noted it lacks true polymorphic capabilities, instead relying on extensive logging, error handling, and structured code indicative of Large Language Model (LLM) assistance.
## Technical Details
- **Type:** Malware (Backdoor/C2 Client)
- **Platform:** Windows (PowerShell-based), with associated framework implementations in PHP, C/C++, Java, and JavaScript (supporting both Windows and Linux).
- **Capabilities:** Persistence, system information exfiltration, command execution, and heartbeat beaconing.
- **First Seen:** Early 2026
## MITRE ATT&CK Mapping
- **[TA0003 - Persistence]**
- [T1053.005 - Scheduled Task/Job: Scheduled Task]
- **[TA0002 - Execution]**
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [T1059.003 - Command and Scripting Interpreter: Windows Command Shell]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
## Functionality
### Core Capabilities
- **Heartbeat Beaconing:** Sends a message containing system information to the C2 server every 30 seconds.
- **Command Polling:** Regularly polls the C2 server (every 50 seconds) for new instructions.
- **Execution:** Processes commands received from the C2 via `cmd.exe` and relays results back to the attacker.
- **Persistence:** Establishes itself on the system using a scheduled task named "Runtime Broker."
### Advanced Features
- **AI-Assisted Development:** Features unusually heavy commenting, verbose logging, comprehensive error handling, and descriptive variable naming, suggesting it was generated by an LLM.
- **Builder-Based Variability:** Likely deployed via a builder that randomizes configuration values and function names to evade simple signature-based detection.
## Indicators of Compromise
- **File Hashes:**
- *(Specific hashes were not provided in the source article)*
- **File Names:**
- PowerShell-based scripts (often deployed via first-stage loaders like NodeSnake)
- **Registry Keys:**
- Items associated with the "Runtime Broker" scheduled task.
- **Network Indicators:**
- C2 traffic to remote servers managed by Hive0163 (URL/IPs were not specified, but should be treated as [.]domain[.]tld).
- **Behavioral Indicators:**
- `powershell.exe` spawning `cmd.exe` at regular intervals.
- Periodic outbound traffic every 30-50 seconds to the same external endpoint.
## Associated Threat Actors
- **Hive0163:** A financially motivated e-crime group known for data exfiltration and ransomware operations.
## Detection Methods
- **Signature-Based:** While function names vary, the unique structure of AI-generated comments and error-handling blocks can be used for signature creation.
- **Behavioral Detection:** Monitoring for the creation of atypical scheduled tasks (e.g., "Runtime Broker" when not associated with standard Windows behavior) and recurring PowerShell-to-CMD execution patterns.
- **Network Monitoring:** Detection of 30-second and 50-second beaconing intervals.
## Mitigation Strategies
- **Prevention:** Implement strict PowerShell execution policies (e.g., Constrained Language Mode).
- **Hardening:** Disable or strictly monitor the creation of Scheduled Tasks by non-administrative users.
- **User Training:** Educate employees on "ClickFix" social engineering tactics that trick users into running PowerShell commands.
## Related Tools/Techniques
- **NodeSnake:** The first-stage component used to download Slopoly.
- **Interlock RAT:** A wider malware framework used by the same actor.
- **JunkFiction:** A loader associated with Hive0163.
- **ClickFix:** The social engineering technique used for initial delivery.
- **VoidLink / PromptSpy:** Other contemporary examples of AI-assisted malware.