Key Findings

• Hive0163 uses AI-assisted Slopoly malware for persistent access in ransomware attacks

• PowerShell backdoor likely generated using a large language model (LLM)

• Malware maintains C2 access, collects system data, and executes remote commands

• Part of a broader attack framework involving NodeSnake and Interlock RAT

• Initial access achieved through social engineering and malvertising

Background

Hive0163 is a financially motivated threat actor specializing in post-compromise activity. The group has been observed using multiple custom backdoors for long-term network access, data exfiltration, and ransomware deployments. Their toolkit includes various malware components like NodeSnake, InterlockRAT, and now the AI-generated Slopoly.

Slopoly Malware Characteristics

The PowerShell-based Slopoly malware demonstrates clear signs of AI-assisted development. Key features include:

• Extensive, well-structured comments

• Accurate variable naming

• Robust error handling

• Periodic system information beaconing

• Remote command execution capabilities

Attack Methodology

Hive0163 typically initiates attacks through:

• ClickFix social engineering tactics

• Malvertising

• Collaboration with initial access brokers like TA569 and TAG-124

The attack sequence usually involves:

1. Tricking a victim into executing a malicious PowerShell command

2. Deploying NodeSnake as an initial access tool

3. Establishing persistent access using Slopoly

4. Lateral movement and potential ransomware deployment

Technological Implications

The emergence of Slopoly highlights a growing trend of AI-assisted malware development. Key observations include:

• Reduced development time for threat actors

• Potential for rapidly creating customized malware

• Increased challenges for cybersecurity defenders

• Early indicators of AI's potential in threat creation

Future Outlook

Experts predict continued evolution of AI-generated malware, with potential advancements including:

• Agentic AI capabilities

• More sophisticated self-modifying code

• Improved evasion and persistence techniques

The Slopoly case represents an early example of how AI can be leveraged to accelerate and enhance malware development, signaling a significant shift in the cybersecurity landscape.

Sources

• https://securityaffairs.com/189378/malware/ai-assisted-slopoly-malware-powers-hive0163s-ransomware-campaigns.html

• https://thehackernews.com/2026/03/hive0163-uses-ai-assisted-slopoly.html