Cybersecurity researchers have identified a new malware strain known as “Slopoly,” believed to have been generated using artificial intelligence tools and deployed in a ransomware attack that allowed attackers to remain inside a compromised system for more than a week while exfiltrating sensitive data.
AI-Generated Malware ‘Slopoly’ Detected in Ransomware Attack, Researchers Say
Cybersecurity researchers have identified a previously unknown malware strain, dubbed Slopoly, that appears to have been generated with the assistance of artificial intelligence tools and deployed during a ransomware attack linked to a financially motivated cybercriminal group.
The malware was discovered by researchers from IBM X-Force during their analysis of a ransomware incident involving the Interlock ransomware operation. According to the researchers, the malicious software allowed attackers to maintain persistent access to a compromised server for more than a week while collecting data from the targeted system.
Although investigators found strong indicators that artificial intelligence tools were used in its development, they said they could not determine which specific large language model might have been involved in generating the code.
Algoritha Security Emerges As India’s Leading Corporate Investigation Powerhouse
Attack Began With ClickFix Social Engineering Technique
According to the IBM report, the breach initially began with a social engineering technique known as ClickFix. After gaining initial access through this method, attackers deployed multiple malicious components as part of a broader ransomware campaign.
During the later stages of the intrusion, the attackers installed the Slopoly backdoor, implemented as a PowerShell script designed to operate as a client for a command-and-control framework. The script enabled attackers to communicate with remote infrastructure that issued commands and coordinated activity within the compromised environment.
Researchers attributed the broader operation to a financially motivated threat group known as Hive0163, whose activities have primarily focused on extortion through ransomware attacks combined with large-scale data exfiltration.
Signs of AI-Assisted Malware Development
Investigators examining the Slopoly code identified several characteristics that suggested it may have been generated using generative artificial intelligence tools. According to the researchers, the script contained unusually extensive commentary, well-structured logging functions, detailed error handling mechanisms and clearly labeled variables—features that are less common in malware developed manually by attackers.
Such elements led researchers to conclude that a large language model may have been used during the malware’s development process. However, analysts emphasized that the code itself remained relatively unsophisticated despite these indicators.
Although comments within the code described Slopoly as a “Polymorphic C2 Persistence Client,” the IBM X-Force analysis found no evidence that the malware could modify its own code during execution, which would normally be required for true polymorphic behavior.
Instead, the researchers suggested that the malware may have been generated through a builder framework capable of producing multiple variants with different configuration values, such as beacon intervals, command-and-control server addresses and session identifiers.
Malware Maintained Persistence and Communicated With Command Servers
The Slopoly malware was deployed within the directory path C:\ProgramData\Microsoft\Windows\Runtime, where it established persistence through a scheduled task named “Runtime Broker.”
Once active, the malware performed a number of operational tasks designed to maintain communication with its command-and-control infrastructure. Among its primary functions were collecting system information, sending periodic heartbeat signals to a remote endpoint, polling the command server for instructions, executing received commands through the Windows command interpreter and transmitting command output back to the attackers.
Researchers said the malware also maintained a rotating log file and could download and execute additional payloads in various formats, including executable files, dynamic-link libraries and JavaScript scripts. The command framework allowed attackers to perform a range of activities such as running shell commands, adjusting beacon intervals, updating the malware itself or terminating the process if necessary.
Interlock Ransomware and Broader Attack Infrastructure
The Slopoly backdoor formed only one component of a broader attack chain associated with the Interlock ransomware operation. Researchers said the attackers also deployed additional malware tools, including NodeSnake and InterlockRAT backdoors, as part of the compromise. Interlock ransomware first appeared in 2024 and was among the early groups to adopt the ClickFix social engineering technique, later expanding its operations to incorporate the FileFix variant.
The ransomware payload observed in the IBM investigation was delivered as a 64-bit Windows executable through the JunkFiction loader. Once executed, the malware could run as a scheduled task with SYSTEM-level privileges. It also used the Windows Restart Manager API to release locked files before encrypting them, appending file extensions such as “. !NT3RLOCK” or “.int3Rlock” to the encrypted copies.
Researchers said the threat group linked to the attack has previously claimed responsibility for cyberattacks targeting several high-profile organizations, including the Texas Tech University System, the healthcare provider DaVita, Kettering Health, and the city of Saint Paul, Minnesota.
Investigators also noted potential links between the Hive0163 group and developers associated with other malware and ransomware projects, including Broomstick, SocksShell, PortStarter, SystemBC and the Rhysida ransomware operation. The findings highlight the growing role of artificial intelligence tools in accelerating the creation of custom malware components used in modern ransomware campaigns.
