**AI-Powered Ransomware: How Hive0163's Slopoly Malware is Redefining Cyber Threats**
The world of cybersecurity is facing a new wave of threats, and this time, it's not just about human hackers. AI-assisted malware, like Slopoly, is being used by financially motivated groups like Hive0163 to maintain persistent access and deploy ransomware attacks. In this article, we'll dive into the details of how AI is being used to create sophisticated malware and what this means for defenders.
**The Rise of AI-Assisted Malware**
Hive0163, a threat actor specializing in post-compromise activity, has been using AI-assisted malware called Slopoly to maintain persistent access during ransomware attacks. IBM X-Force researchers have observed that the group is using multiple custom backdoors for long-term access, data exfiltration, and ransomware deployments. Slopoly, likely generated with a Large Language Model (LLM), acts as a Command and Control (C2) client that collects system data, sends heartbeat beacons to a remote server, executes commands via cmd.exe, and maintains persistence through a scheduled task.
**The AI-Generated Malware: Slopoly**
Slopoly's structure and behavior strongly suggest AI-assisted development, highlighting how attackers can rapidly build operational malware. The use of AI in malware creation is not limited to Slopoly; researchers have observed that Hive0163 is also using other AI-generated malware, such as NodeSnake and InterlockRAT.
**The Ransomware Payload: Windows Interlock**
The Windows Interlock ransomware is a 64-bit PE file deployed with the JunkFiction loader, typically in temporary folders. It supports arguments to encrypt directories (-d) or files (-f), delete itself (-del), run as a scheduled task (-s), release locked files (-r), or store session keys externally (-u). Interlock skips system directories and critical file types, uses AES-GCM per-file encryption combined with RSA-protected session keys, and leaves a ransom note (FIRST_READ_ME.txt).
**The Attack Chain**
Researchers from IBM X-Force observed an intrusion starting with a ClickFix attack that tricked a victim into executing a malicious PowerShell command. The script deployed NodeSnake, part of a larger C2 framework used by Hive0163. NodeSnake downloaded additional payloads, including the more advanced InterlockRAT, which enables reverse shells, SOCKS5 tunneling, and remote command execution. The attackers later deployed Slopoly and tools such as AzCopy and Advanced IP Scanner to expand access and move laterally within the network.
**The Future of AI-Powered Threats**
Advancing LLMs are lowering software creation costs, including malware. AI acts as a force multiplier, enabling ephemeral, hard-to-attribute malware. Future threats include agentic AI and AI-integrated malware, raising risks for defenders as access to weaponized AI grows. "Looking into the future, AI-generated malware is only the first stage in a new arms race between defenders and attackers," concludes the report. "The second stage is the use of agentic AI, and AI-integrated malware, which allow models to make decisions during all phases of the attack chain or during development and testing of advanced C2 frameworks."
**Conclusion**
The rise of AI-assisted malware, like Slopoly, is a wake-up call for defenders. The use of AI in malware creation is becoming more prevalent, and it's not just about generating code. AI is being used to make decisions during the attack chain, making it harder to attribute and defend against. As access to weaponized AI grows, the future of cybersecurity threats looks bleaker than ever. It's time for defenders to rethink their security paradigms and prepare for the next wave of threats.
**Follow us on Twitter**: @securityaffairs and Facebook and Mastodon for the latest news and updates on cybersecurity threats and research.