In early 2026, IBM X-Force identified a new AI-generated malware strain called ‘Slopoly,’ utilized in a ransomware attack by the cybercrime group Hive0163. This group is recognized for its significant data theft and ransomware deployments, using sophisticated, custom-built tools to infiltrate and maintain a presence in targeted networks.
Emergence of AI in Cybercrime
The discovery of Slopoly highlights a pivotal evolution in cybercriminal strategies, leveraging artificial intelligence to create attack tools. This method allows for rapid development at reduced costs, signaling a shift in the cyber threat landscape. Hive0163, known for deploying the Interlock ransomware variant, continues to expand its tools, including private crypters and backdoor malware like NodeSnake, InterlockRAT, and the JunkFiction loader, all designed to ensure long-term network access.
To gain initial access, Hive0163 utilizes ClickFix attacks and malvertising, often collaborating with initial access brokers. This strategy places them among the most connected ransomware groups currently in operation.
Technical Insights into Slopoly
IBM analysts discovered Slopoly during a live attack, finding it on an infected server as part of a custom command-and-control (C2) framework. The script was located in the directory C:ProgramDataMicrosoftWindowsRuntime, with persistence achieved through a scheduled task called ‘Runtime Broker.’ Despite maintaining access for over a week, the specific commands executed remain unknown.
The script’s structure bears hallmarks of AI generation, such as detailed comments and consistent error handling. Notably, it includes an unused ‘Jitter’ function, indicating iterative AI development. Although described as a ‘Polymorphic C2 Persistence Client,’ it lacks the capability to modify its code during execution.
Impact and Future Threats
The implications of Slopoly’s discovery extend beyond technical details, demonstrating that attackers can now produce effective malware without deep programming skills, thanks to AI. This trend is corroborated by Palo Alto’s Unit 42 in their 2026 Global Incident Response Report, which notes similar patterns of AI adoption in ransomware operations.
The attack initiated with a ClickFix maneuver, a social engineering tactic that deceives victims into executing malicious scripts. This technique involves a fake CAPTCHA that stores harmful commands in the clipboard, prompting users to unwittingly run malware.
The infection process involved deploying NodeSnake initially, followed by InterlockRAT, and concluding with Slopoly alongside post-exploitation tools. The Slopoly C2 server was hosted at plurfestivalgalaxy[.]com, featuring a login panel during its activity.
Recommendations for Security Teams
Security experts suggest adopting behavior-based detection methods since AI-generated malware often evades traditional signature-based tools. IBM X-Force advises implementing defenses against ClickFix attacks, such as disabling the Win+R shortcut or monitoring for unusual RunMRU registry entries.
Defenders should also search for Hive0163 indicators of compromise, including the now-defunct Slopoly C2 domain and its associated IP addresses. Proactive measures are crucial in combatting the evolving threat posed by AI-driven malware.
