Hive0163 Deploys AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks

When IBM X-Force malware reverse engineer Golo Mühr published his analysis on March 12, 2026, one detail stood out: the PowerShell backdoor at the centre of the story self-identifies in its own code as a "Polymorphic C2 Persistence Client." It is not polymorphic. It cannot modify its own code during execution. The LLM that generated it hallucinated a capability, the developer didn't check, and the mislabelled script was deployed against a live victim.

The gap between what the AI claimed to build and what it actually built is the most instructive thing about Slopoly — and it captures where AI-assisted attack development sits in early 2026: operationally useful, technically mediocre, and accelerating fast.

Who Is Hive0163?

IBM X-Force tracks Hive0163 as a cluster of financially motivated threat actors responsible for multiple large-scale ransomware attacks, primarily deploying Interlock ransomware. The group's defining characteristic is post-compromise depth: rather than hit-and-run encryption, Hive0163 maintains prolonged access to corporate environments for large-scale data exfiltration before triggering the ransomware payload.

IBM X-Force has identified suspected lineage connections to ex-ITG23 — the TrickBot/Wizard Spider ecosystem that fractured after Conti collapsed in 2022 — with infrastructure and tooling overlaps spanning Broomstick (Oyster/CleanUpLoader), Supper (SocksShell), PortStarter, SystemBC, and Rhysida ransomware operators. IBM describes the group as having "several dynamic subclusters with access to private crypters, malware frameworks and ransomware variants, likely developed at least partially by members of the group."

For initial access, Hive0163 uses ClickFix social engineering (fake CAPTCHA pages storing malicious PowerShell in the clipboard, executed via Win+R), malvertising, and initial access brokers TA569 (SocGholish) and TAG-124 (LandUpdate808/KongTuke).

Interlock emerged in September 2024. A CISA/FBI joint advisory (AA25-203A) followed on July 22, 2025. Arctic Wolf documented at least 58 confirmed victims across manufacturing, healthcare, education, government, financial services, and technology — spanning North America, Europe, and Australia.

The victim list is concrete. DaVita, the US dialysis provider, had 1.5 TB stolen affecting more than 200,000 patients. Kettering Health and Texas Tech University System were also confirmed victims. In July 2025, the City of Saint Paul, Minnesota had key systems taken offline with 3,500 employee records at risk; the city did not pay.

Slopoly: What IBM Actually Found

IBM X-Force discovered Slopoly during a live ransomware engagement in early 2026. The malware had already been deployed to an infected server and had maintained access for more than seven days when analysts encountered it. IBM named it Slopoly.

Slopoly is a PowerShell-based backdoor functioning as the client component of a custom command-and-control framework. Its technical architecture is not complex. It is deployed to C:\ProgramData\Microsoft\Windows\Runtime\ and persists via a Windows Scheduled Task named "Runtime Broker" — a deliberate masquerade of a legitimate Windows process name (MITRE ATT&CK T1053.005).

C2 communication runs via HTTP POST to the endpoint /api/commands. The beacon sends a heartbeat every 30 seconds, with a JSON payload that includes the bot's public IP, privilege level, session ID, username, and computer name. Command polling occurs every 50 seconds with "action":"wait_command". Commands received from the C2 server are executed through cmd.exe, with results relayed back. Slopoly maintains a rotating log file named persistence.log that rolls over at 1 MB.

The supported command set covers the operational basics: download and execute EXE, DLL, or JavaScript payloads; run arbitrary shell commands and return output; modify beacon intervals; self-update; and terminate. The C2 infrastructure active during IBM's investigation included the domain plurfestivalgalaxy[.]com (no longer active) resolving to 94[.]156[.]181[.]89, with a second Hive0163 C2 IP at 77[.]42[.]75[.]119.

The SHA-256 hash of the redacted Slopoly script uploaded by IBM X-Force to VirusTotal is 0884e5590bdf3763f8529453fbd24ee46a3a460bba4c2da5b0141f5ec6a35675.

IBM's technical verdict on the script itself: "mediocre at best."

The AI Fingerprint

IBM X-Force assesses with high confidence that Slopoly was generated by a large language model. The indicators are specific: extensive inline comments document every function in structured prose (rare in human-authored malware, where comments are liabilities); variable names are accurate and descriptive rather than obfuscated; and logging and error handling follow boilerplate AI patterns rather than the sparse, functional approach of a practised developer.

Two anomalies are particularly diagnostic. The script contains an unused "Jitter" function — syntactically valid but never called, consistent with an iterative AI session where the function was generated then abandoned without cleanup. More significantly, the script describes itself as a "Polymorphic C2 Persistence Client" despite having no polymorphic capability whatsoever. A builder may generate client instances with randomised configuration values, but that is not polymorphism. The LLM over-claimed, the developer didn't verify, and the mislabelled code shipped.

IBM could not identify which LLM was used, assessing the output as consistent with a less advanced model whose guardrails were circumvented. IBM's verdict: "The naming of variables indicates the model intended to design the script for a malicious purpose, meaning any model guardrails, if present, were successfully circumvented."

Slopoly held access for seven days. It enabled a ransomware deployment. The mediocrity is the point — AI has lowered the floor for what a competent malware developer needs to be.

The Full Attack Chain

Slopoly sits at stage three of a multi-tool intrusion sequence that IBM X-Force has mapped comprehensively.

Initial access arrives via ClickFix: a fake CAPTCHA stores malicious PowerShell in the clipboard, prompting the user to execute it via Win+R (MITRE T1204.004, added to ATT&CK in March 2025). The first-stage payload is NodeSnake, a NodeJS-based backdoor that connects via HTTP POST to C2 infrastructure using a combination of hardcoded Cloudflare tunnel domains (trycloudflare.com) and IP fallbacks (MITRE T1071.001). NodeSnake establishes persistence via AUTORUN and downloads the second stage.

InterlockRAT — a JavaScript backdoor — provides deeper capability: SOCKS5 proxy tunnelling, reverse shell access, and payload delivery over WebSockets (MITRE T1095). Post-exploitation reconnaissance uses AzCopy for exfiltration to Azure Blob Storage (MITRE T1537) and Advanced IP Scanner for network mapping.

Slopoly is then deployed as a secondary persistent foothold, providing a redundant C2 channel while the operator prepares for the final stage. Interlock ransomware itself arrives via the JunkFiction loader (dropped into a temp folder with a single-digit name), executes as SYSTEM via a scheduled task named "TaskSystem," encrypts files using AES-GCM per-file with RSA-protected session keys, drops a ransom note named FIRST_READ_ME.txt, appends .!NT3RLOCK or .int3R1Ock extensions, and self-deletes via an embedded DLL through rundll32.exe (MITRE T1218.011).

CVE-2026-20131: The Zero-Day That Preceded Slopoly

On March 18, 2026, BleepingComputer reported that Interlock was also exploiting CVE-2026-20131 — a CVSS 10.0 unauthenticated RCE in Cisco Secure Firewall Management Center (FMC) — as a zero-day for 36 days before disclosure. The flaw enables unauthenticated RCE via insecure deserialisation of Java byte streams. Exploitation began January 26, 2026; Cisco patched it March 4, 2026.

Amazon CISO CJ Moses: "This wasn't just another vulnerability exploit — Interlock had a zero-day in their hands, giving them a week's head start to compromise organisations before defenders even knew to look."

CVE-2026-20131 is not named in IBM's Slopoly report as the specific initial access vector for the incident where Slopoly was recovered. Both disclosures are attributed to the same Interlock/Hive0163 cluster within the same reporting window.

Why AI-Generated Malware Is Structurally Significant

Slopoly's mediocrity is precisely why it matters.

The IBM X-Force 2026 Threat Intelligence Index counted 109 active ransomware and extortion groups in 2025 — up 49% from 73 in 2024 — while the top 10 groups' share of attacks declined 25%, a sign of fragmentation and proliferating smaller operators. Unit 42's 2026 Global Incident Response Report, based on 750+ major incidents across 50 countries, found the fastest attackers now reach exfiltration in 72 minutes — down from ~4.8 hours the prior year.

AI-generated malware removes the competency floor. A threat actor who cannot write functional PowerShell can prompt an LLM to write it. As IBM X-Force states: "It disproportionately enables threat actors by reducing the time an operator needs to develop and execute an attack."

The forward-looking risk is attribution degradation. IBM warns that "disparate, largely similar malicious [malware] will become significantly more difficult to attribute to a single developer in the future." When LLMs generate the code, the idiosyncratic fingerprints analysts rely on for clustering disappear. Golo Mühr: "Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponise AI to develop new malware frameworks in a fraction of the time it used to take."

Defender Actions

The IBM X-Force report provides specific, actionable mitigations.

Patch CVE-2026-20131 immediately. Cisco issued the patch on March 4, 2026. Any Cisco Secure FMC deployment that has not applied this update was exposed during a confirmed active exploitation window.

Mitigate ClickFix. Disable the Win+R run dialogue for standard users via Group Policy. Monitor the RunMRU registry key for entries containing PowerShell, cmd, or encoded strings.

Hunt Slopoly IOCs. Alert on Scheduled Task "Runtime Broker" created in non-standard contexts, files written to C:\ProgramData\Microsoft\Windows\Runtime\, and periodic HTTP POST traffic to /api/commands. Block C2 IPs 94[.]156[.]181[.]89 and 77[.]42[.]75[.]119.

Prioritise behaviour-based detection. Slopoly's static signature is straightforward to identify — but the script ran undetected for seven days. Behavioural detection of scheduled task creation, cmd.exe spawned from PowerShell, and fixed-interval outbound HTTP POST beaconing should have flagged it.

Monitor Cloudflare tunnel abuse and AzCopy exfiltration. NodeSnake and InterlockRAT use trycloudflare.com subdomains to mask C2 traffic. Interlock exfiltrates data via AzCopy to Azure Blob Storage — alert on AzCopy execution from non-administrative hosts and unexpected outbound Azure storage connections.

---

Key Takeaways

• Slopoly is an LLM-generated PowerShell backdoor deployed by Hive0163 that held persistent access for 7+ days during a live Interlock ransomware engagement. SHA-256: 0884e5590bdf3763f8529453fbd24ee46a3a460bba4c2da5b0141f5ec6a35675. C2: 94[.]156[.]181[.]89.
• The malware self-describes as "polymorphic" but is not. The LLM over-claimed a capability; the developer shipped it without verification. IBM X-Force calls the script "mediocre at best" — it still worked for a week.
• CVE-2026-20131 (CVSS 10.0) in Cisco Secure Firewall Management Center was exploited by the same Interlock cluster as a zero-day for 36 days before its March 4, 2026 patch. Patch immediately.
• The IBM X-Force 2026 Index counted 109 active ransomware groups in 2025 — a 49% year-on-year increase — while Unit 42 found the fastest attacks now reach exfiltration in 72 minutes. AI tooling is the accelerant.
• Attribution is degrading. When LLMs generate malware code, the developer fingerprints analysts rely on for clustering disappear. Hive0163 illustrates the operational benefit: a usable backdoor produced faster, with fewer distinguishing artefacts.

---

References

1. IBM X-Force — "A Slopoly start to AI-enhanced ransomware attacks" (Golo Mühr, March 12, 2026). https://www.ibm.com/think/x-force/slopoly-start-ai-enhanced-ransomware-attacks

2. BleepingComputer — "AI-generated Slopoly malware used in Interlock ransomware attack" (Bill Toulas, March 12, 2026). https://www.bleepingcomputer.com/news/security/ai-generated-slopoly-malware-used-in-interlock-ransomware-attack/

3. BleepingComputer — "Interlock ransomware exploited Cisco FMC flaw in zero-day attacks since January" (Sergiu Gatlan, March 18, 2026). https://www.bleepingcomputer.com/news/security/interlock-ransomware-exploited-secure-fmc-flaw-in-zero-day-attacks-since-january/

4. IBM Newsroom — 2026 X-Force Threat Intelligence Index (February 25, 2026). https://newsroom.ibm.com/2026-02-25-ibm-2026-x-force-threat-index-ai-driven-attacks-are-escalating-as-basic-security-gaps-leave-enterprises-exposed

5. Palo Alto Networks — Unit 42 2026 Global Incident Response Report (February 17, 2026). https://www.paloaltonetworks.com/blog/2026/02/unit-42-global-ir-report/

6. Arctic Wolf — "Threat Actor Profile: Interlock Ransomware" (August 15, 2025). https://arcticwolf.com/resources/blog/threat-actor-profile-interlock-ransomware/

7. Security Affairs — "AI-assisted Slopoly malware powers Hive0163's ransomware campaigns" (Pierluigi Paganini, March 13, 2026). https://securityaffairs.com/189378/malware/ai-assisted-slopoly-malware-powers-hive0163s-ransomware-campaigns.html

8. Cybersecurity Dive — "Even primitive AI-coded malware helps hackers move faster" (March 13, 2026). https://www.cybersecuritydive.com/news/ai-ransomware-backdoor-ibm-attribution/814671/

9. MITRE ATT&CK — T1204.004: User Execution: Malicious Copy and Paste. https://attack.mitre.org/techniques/T1204/004/

10. Fortinet — "Interlock Ransomware: New Techniques, Same Old Tricks" (January 29, 2026). https://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks

---

Stay ahead of AI security threats. Subscribe to the AI Security Brief newsletter for weekly intelligence. Subscribe now →