Researchers specialized in cybercrime have recently identified a new malicious program called Slopoly, linked to an economically motivated threat actor known as Hive0163.
This finding confirms that digital criminals are beginning to use AI models to accelerate the creation of new pieces of malware and optimize their intrusion campaigns.
The discovery was detailed by security analysts who studied a series of recent incidents related to ransomware and massive data theft.
According to experts, Slopoly is primarily used in advanced stages of attacks, when attackers have already gained access to the victim’s infrastructure and seek to maintain control of the compromised system.
Golo Mühr, a researcher at IBM X-Force, explained the scope of this emerging phenomenon. “Although still relatively unspectacular, AI-generated malware like Slopoly demonstrates how easy it is for threat actors to weaponize AI to develop new malware frameworks in a fraction of the time it used to take,” the analyst stated in a technical report.
Hive0163 and its history in cyber extortion campaigns
The Hive0163 group has long been monitored by cybersecurity companies due to its involvement in attacks aimed at obtaining economic benefits. Their operations are based on digital extortion strategies that combine data theft, threats of data leakage, and ransomware deployment.
Among the tools previously linked to this actor are several families of malicious software used to compromise corporate networks. Researchers have connected Hive0163 with utilities like NodeSnake, Interlock RAT, JunkFiction loader, and the ransomware Interlock, an arsenal that demonstrates a high degree of technical specialization.
In an attack detected at the beginning of 2026, analysts observed that the group deployed Slopoly after gaining initial access to the victim’s systems. For more than a week, the malware remained active on the compromised servers, allowing attackers to maintain a presence within the affected network while preparing other actions.
How Slopoly operates within compromised systems
Investigations indicate that Slopoly is distributed via a PowerShell script usually installed in the path C:ProgramDataMicrosoftWindowsRuntime. This file is generated through a builder that allows creating multiple variants of the malware with different configurations.
Once installed, the program establishes persistence mechanisms to ensure that access to the system is not lost after reboots or changes in the computing environment.
To achieve this, the malware creates a scheduled task named Runtime Broker, which allows the script to run automatically at defined intervals.
This type of persistence is a common technique in digital espionage and ransomware operations, as it provides attackers with a stable entry point from which they can launch new actions within the corporate network.
Indications of development assisted by language models
One of the most striking aspects of the technical analysis is the possibility that Slopoly was developed with the help of an advanced language model. Researchers detected unusual features in the code that point to the use of artificial intelligence tools.
Among these clues are very detailed comments within the script, an organized code structure, exhaustive error handling, and variables with very descriptive names.
These types of elements usually appear in programs generated or assisted by large language models.
Additionally, the internal comments of the script describe the malware as a Polymorphic C2 Persistence Client, suggesting that it is part of a command and control architecture intended to manage multiple compromised devices.
Despite this denomination, experts note that the program does not exhibit real-time mutation capabilities. As Mühr explained, the malware does not modify its own code during execution, so it cannot technically be considered polymorphic in the strict sense.
However, the builder used to generate new instances allows modifying parameters, function names, and internal configurations. This technique is common among malware developers because it complicates detection by security systems.
A permanent communication channel with attackers
From an operational standpoint, Slopoly functions as a complete backdoor capable of constantly communicating with a remote server controlled by the attackers. This mechanism is crucial to maintaining control of the infected system.
The malware sends a heartbeat message every 30 seconds containing information about the compromised device, including details of the operating system and other technical data. This way, the command and control server can check if the device is still active.
Moreover, the program checks every 50 seconds for any pending new orders. If affirmative, it executes the commands via the cmd.exe interpreter and subsequently sends the results to the remote server.
This constant communication flow allows attackers to execute instructions remotely, gather additional information, or prepare new phases of the attack.
Artificial intelligence begins to change malware development
The case of Slopoly reflects a growing trend in the cybercrime ecosystem: the use of artificial intelligence to accelerate the development of offensive tools. Although the analyzed malware does not present particularly sophisticated techniques, its creation process suggests that AI could be drastically reducing the time needed to produce new variants.
This means that criminal groups could generate malicious software on a large scale, quickly adapting it to evade detection systems and attack different infrastructures.
