AI-Generated Slopoly Malware: Hive0163 Maintains 7-Day Dwell in Live Ransomware Attacks

Slopoly is a PowerShell C2 client that handles persistent access for Hive0163 after the initial compromise phase establishes a foothold. The backdoor deploys to C:\\ProgramData\\Microsoft\\Windows\\Runtime\\ and installs persistence through a Windows scheduled task named "Runtime Broker," chosen to blend with the legitimate Windows process of the same name, which runs from System32.

Once active, Slopoly runs two concurrent loops. A heartbeat loop transmits system telemetry to the attacker-controlled C2 server every 30 seconds, maintaining an active session indicator. A command polling loop requests operator instructions from the same server every 50 seconds and executes received commands via cmd.exe, relaying results back. The framework operates as the client side of a larger C2 platform that Hive0163 controls separately.

IBM X-Force researcher Golo Mühr identified four LLM authorship markers. First, every code block contains extensive inline comments describing its purpose in natural language, consistent with LLMs that narrate their output. Second, error handling is comprehensive and structurally uniform throughout the script, unlike human-written code where error handling is often selective. Third, all variables are accurately named to describe their contents. Fourth, the script self-describes in its own header as a "Polymorphic C2 Persistence Client" even though it cannot modify its own code during execution — the LLM named it after its intended design goal rather than what it actually produced.

IBM also identified two related AI-generated families in the same reporting period: **VoidLink** and **PromptSpy**, suggesting LLM-assisted malware development is spreading across multiple threat actor groups beyond Hive0163.

**Hive0163** is a financially motivated ransomware group tracked by IBM X-Force, responsible for deploying **Interlock ransomware**, a double-extortion platform targeting Windows and Linux systems across healthcare, technology, manufacturing, and financial services. The group operates a five-stage attack chain with Slopoly inserted as a persistent access layer before ransomware detonation.

**Stage 1 — ClickFix Initial Access:** Hive0163 delivers initial access via ClickFix, a social engineering technique where a malicious webpage displays a fake CAPTCHA or system alert instructing the user to paste a PowerShell command into their terminal. The group amplifies ClickFix reach through two initial access brokers: TA569, known as SocGholish, which embeds lures in compromised news sites; and TAG-124, known as KongTuke or LandUpdate808, which delivers fake browser update overlays. For additional context on how ClickFix operates at enterprise scale, see the [Booking.com Storm-1865 ClickFix campaign breakdown](/blog/booking-com-storm-1865-clickfix-reservation-breach).

**Stage 2 — NodeSnake Loader:** The ClickFix command drops **NodeSnake**, a first-stage loader that downloads and executes shell commands and establishes initial persistence on the compromised host.

**Stage 3 — InterlockRAT Framework:** NodeSnake retrieves **InterlockRAT**, a multi-platform remote access framework written in PowerShell, PHP, C/C++, Java, and JavaScript providing SOCKS5 proxying, reverse shell spawning, and secondary payload delivery on both Windows and Linux.

**Stage 4 — Slopoly Persistent Access:** With elevated access established, Hive0163 deploys Slopoly for long-duration covert persistence. The AI-generated backdoor maintained undetected access for over 7 days while operators conducted reconnaissance and staged exfiltration tools.

**Stage 5 — Exfiltration and Ransomware:** AzCopy transfers victim data to attacker-controlled Azure storage. Advanced IP Scanner maps encryption targets. Interlock ransomware encrypts files and appends the .interlock extension. Victims face dual pressure: pay to decrypt, or pay to suppress the data leak.

Attributing malware to LLM authorship is a new discipline in threat intelligence. IBM X-Force's Slopoly analysis established four structural markers that security teams can apply when reviewing suspicious scripts recovered during incident response.

The most reliable marker is inline commenting density. Human developers write inline comments selectively, typically for complex logic or regulatory requirements. LLMs narrate everything. Slopoly contains comments on every function block, including trivial ones, in a consistent natural-language style that mirrors how LLM-generated code explainers read.

The second marker is uniform error handling. Human code tends to have inconsistent error handling: thorough where the developer anticipated problems, absent where they did not. Slopoly has comprehensive try-catch blocks throughout, structured identically, because the LLM applied error handling as a pattern rather than a judgment call.

The third marker is variable naming precision. LLMs produce accurately named variables because they generate names to reflect each variable's purpose clearly. Human developers often abbreviate, use legacy conventions, or introduce naming inconsistencies across a codebase. Slopoly's variables read like documentation.

The fourth marker is the self-description mismatch. Slopoly names itself a "Polymorphic C2 Persistence Client" in its own header. It is not polymorphic. IBM concludes the LLM named it based on design intent expressed in the prompt, not on the code it actually produced. This gap between stated capability and actual behavior appears in other AI-generated families including VoidLink and PromptSpy, tracked by IBM in the same period.

These four markers are now applicable to any suspicious PowerShell or scripting-language artifact recovered during incident response, not just Slopoly.

The Slopoly discovery matters for one specific reason: the malware is basic, and it worked anyway.

Hive0163 did not need a skilled developer to produce a custom C2 backdoor. They needed an LLM prompt and the willingness to bypass safety guardrails. The resulting script is technically basic. It lacks genuine polymorphism despite naming itself a "Polymorphic C2 Persistence Client." A competent analyst can identify it as AI-generated in minutes. It stayed hidden for over 7 days in a real enterprise environment regardless. The threat is not the malware's quality. The threat is the time compression and skill democratization that LLMs deliver to attackers with limited coding capability.

IBM's 2026 X-Force Threat Index quantified this trajectory: AI-driven attacks rose 89% year-over-year. The index notes that AI primarily eliminates the skill gap rather than raising the sophistication ceiling. Groups that previously could not build custom tooling can now iterate on C2 frameworks, loaders, and credential stealers within hours.

Slopoly connects to a wider documented pattern. APT28 deployed **PROMPTSTEAL**, a data-mining tool that queries the Hugging Face API in live operations to generate reconnaissance commands against Ukrainian targets. Financially motivated groups are adopting AI-generated loaders alongside established crimeware. For additional context on AI-assisted malware used by state-sponsored actors, see the [HonestCue AI malware and Gemini APT campaign analysis](/blog/honestcue-ai-malware-gemini-apt-live-operations).

The practical implication: your organization's threat model can no longer treat custom malware development as a signal of an advanced, well-resourced threat actor. Slopoly shows that a financially motivated group of limited capability can produce targeted, functional tooling on demand.

The Hive0163 Slopoly campaign maps to six documented MITRE ATT&CK Enterprise techniques. Security teams should build detection rules around these IDs in their SIEM and EDR platforms.

**T1566 — Phishing (Initial Access):** ClickFix lures are phishing through social engineering. Users are directed to pages impersonating legitimate services and instructed to run attacker-supplied PowerShell commands. Block ClickFix by enforcing PowerShell script block logging (Event ID 4104) and training users that no legitimate service requires copy-pasting a command from a webpage.

**T1059.001 — PowerShell (Execution):** The ClickFix payload, NodeSnake, and Slopoly all execute as PowerShell scripts. Alert on PowerShell execution originating from browser processes, user-interactive sessions, and scheduled tasks created by non-administrative accounts.

**T1053.005 — Scheduled Task/Job: Scheduled Task (Persistence):** Slopoly installs via schtasks.exe as a task named "Runtime Broker." The legitimate Windows Runtime Broker executes from C:\\Windows\\System32\\RuntimeBroker.exe only. Any scheduled task with this name executing from ProgramData or AppData is a confirmed indicator of compromise.

**T1071.001 — Application Layer Protocol: Web Protocols (C2):** Slopoly communicates over HTTP/S with fixed 30-second and 50-second timing intervals. Detect by profiling endpoints for periodic outbound connections at these exact intervals to non-categorized external hosts.

**T1105 — Ingress Tool Transfer (Payload Staging):** InterlockRAT and subsequent payloads including Slopoly are retrieved via the established C2 channel using the ingress transfer capability built into NodeSnake and InterlockRAT.

**T1048 — Exfiltration Over Alternative Protocol:** Hive0163 uses AzCopy to move victim data to attacker-controlled Azure blob storage before ransomware detonation. Alert on AzCopy.exe execution from standard user or service accounts and on transfers to unfamiliar Azure storage endpoints.

Detecting Slopoly requires behavioral controls rather than signature-based scanning. IBM confirmed the script evaded antivirus for over 7 days in the observed incident. The kill chain is catchable at multiple stages if the following detections are in place.

For the broader AI-generated malware threat, apply IBM's four LLM authorship markers when reviewing suspicious scripts during incident response: dense inline commenting, uniform error handling, accurate variable naming, and a mismatch between the script's stated purpose and its actual capability.

AI-generated malware Slopoly confirms that Hive0163 weaponized a large language model to build a functional ransomware C2 framework with no specialized development skill required. The script maintained covert access for over 7 days before Interlock ransomware deployed and AzCopy exfiltrated the victim's data. IBM's 2026 X-Force Threat Index documents an 89% year-over-year rise in AI-driven attacks, and Slopoly is the clearest proof point yet of what that escalation looks like in a live operation. Hunt your scheduled tasks for 'Runtime Broker' executing from ProgramData right now. Run CISA AA25-203A IOCs through your SIEM before end of day today.