Ethical Hacking News
IBM X-Force researcher Golo Mühr has disclosed details of a suspected artificial intelligence (AI)-generated malware codenamed Slopoly, which is being used by the financially motivated threat actor known as Hive0163. This new breed of malware marks a significant shift in the way threats are developed and deployed.
Slopoly is a new breed of AI-generated malware used by Hive0163, a financially motivated threat actor.The malware functions as a full-fledged backdoor that can send beacon heartbeat messages to a command-and-control server every 30 seconds.The emergence of Slopoly highlights the growing threat posed by AI-generated malware, which disproportionately enables threat actors by reducing development and execution time.Slopoly is one of several AI-assisted malware tools, including VoidLink and PromptSpy.Hive0163's operations are driven by extortion through large-scale data exfiltration and ransomware.The Slopoly script may be easier to detect and remove compared to more sophisticated polymorphic malware due to its lack of advanced techniques.Cybersecurity professionals must be vigilant in monitoring for emerging threats and staying up-to-date on the latest developments in the world of cyber threats.
IBM X-Force researcher Golo Mühr has shed light on a new breed of malware, dubbed Slopoly, which is being used by the financially motivated threat actor known as Hive0163. This latest development in the world of cyber threats marks a significant shift in the way malware is developed and deployed, with the emergence of AI-generated tools like Slopoly.
According to Mühr's report, Slopoly was discovered as part of an investigation into Hive0163's operations, which have been linked to various forms of ransomware attacks. The malware is believed to have been created using an artificial intelligence (AI) large language model (LLM), with the code containing extensive comments, logging, error handling, and accurately named variables.
The Slopoly script functions as a full-fledged backdoor that can send beacon heartbeat messages to a command-and-control (C2) server every 30 seconds, poll for new commands every 50 seconds, execute them via "cmd.exe," and relay the results back to the server. The exact nature of the commands run on the compromised network is currently unknown.
This latest development in the world of cyber threats highlights the growing threat posed by AI-generated malware. According to IBM X-Force, the introduction of AI-generated malware does not pose a new or sophisticated threat from a technical standpoint. However, it disproportionately enables threat actors by reducing the time an operator needs to develop and execute an attack.
The emergence of Slopoly adds to a growing list of AI-assisted malware, which also includes VoidLink and PromptSpy. These tools demonstrate how bad actors are using the technology to accelerate malware development and scale their operations.
Hive0163's operations are driven by extortion through large-scale data exfiltration and ransomware. The e-crime group is primarily associated with a wide range of malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware. In one observed ransomware attack, the threat actor deployed Slopoly during the post-exploitation phase to maintain persistent access to the compromised server for more than a week.
The attack leveraged the ClickFix social engineering tactic to trick a victim into running a PowerShell command, which then downloads NodeSnake, a known malware attributed to Hive0163. The first-stage component, NodeSnake, is designed to run shell commands, establish persistence, and retrieve and launch a wider malware framework referred to as Interlock RAT.
Hive0163 has a track record of employing ClickFix and malvertising for initial access. Another method the threat actor uses to establish a foothold is by relying on initial access brokers such as TA569 (aka SocGholish) and TAG-124 (aka KongTuke and LandUpdate808). The framework has multiple implementations in PowerShell, PHP, C/C++, Java, and JavaScript to support both Windows and Linux.
The emergence of Slopoly highlights the evolving nature of cyber threats. As threat actors continue to develop new tools and techniques, cybersecurity professionals must adapt to stay ahead of the curve. In this case, the use of AI-generated malware by Hive0163 marks a significant development in the world of cyber threats, with implications for individuals and organizations worldwide.
Furthermore, the Slopoly script is notable for its lack of advanced techniques, which may make it easier to detect and remove compared to more sophisticated polymorphic malware. However, the builder may generate new clients with different randomized configuration values and function names, which is standard practice among malware builders.
The incident serves as a reminder that cybersecurity professionals must be vigilant in monitoring for emerging threats and staying up-to-date on the latest developments in the world of cyber threats. As the threat landscape continues to evolve, it's essential to remain proactive and adapt to new technologies and tactics used by threat actors.
In conclusion, the emergence of Slopoly marks a significant development in the world of AI-generated malware, with implications for individuals and organizations worldwide. Cybersecurity professionals must be vigilant in monitoring for emerging threats and staying up-to-date on the latest developments in the world of cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Hive0163s-AI-Generated-Malware-A-New-Era-of-Persistent-Threats-ehn.shtml
Published: Thu Mar 12 15:28:28 2026 by llama3.2 3B Q4_K_M
