AI-Generated Malware 'Slopoly' Uncovered in Hive0163 Attack
Basically, IBM found a new type of malware created using AI during a ransomware attack.
IBM X-Force has uncovered 'Slopoly,' an AI-generated malware used by Hive0163 in a ransomware attack. This new threat lowers the barrier for cybercriminals, making sophisticated attacks easier. Organizations must adapt their defenses to combat this evolving risk.
What Happened
In early 2026, IBM X-Force made a groundbreaking discovery: a malware strain named Slopoly, likely generated by artificial intelligence. This malware was deployed by the financially motivated threat group Hive0163 during a ransomware attack. Hive0163 is notorious for large-scale data theft and has been linked to several high-profile attacks. Their arsenal includes various custom-built tools, allowing them to persistently infiltrate targeted networks.
The emergence of Slopoly signifies a notable evolution in cybercriminal tactics. With AI, attackers can create effective malware more quickly and at a lower cost. This shift highlights the increasing accessibility of sophisticated cyber tools, making it easier for less experienced criminals to engage in cybercrime.
Who's Being Targeted
Hive0163 primarily targets large organizations, leveraging advanced techniques to gain initial access. The group employs ClickFix attacks—a social engineering tactic that tricks users into executing malicious scripts. Once inside, they deploy a series of tools to maintain control over the compromised systems.
The use of Slopoly represents a new layer in their attack strategy. It acts as a client component in a custom command-and-control (C2) framework, allowing Hive0163 to maintain access to infected servers for extended periods. This capability underscores the group's intent to maximize their reach and impact.
Signs of Infection
Detecting Slopoly can be challenging due to its AI-generated nature. The malware was found in a live ransomware engagement, located in a directory that mimics legitimate Windows files. Its structure shows signs of AI generation, such as clear variable names and consistent error handling. However, it misleadingly claims to be a Polymorphic C2 Persistence Client, despite lacking the ability to modify its own code during execution.
Security teams should be aware of the indicators of compromise associated with Hive0163 and Slopoly. This includes monitoring for unusual activity related to the C2 server, which was previously hosted at plurfestivalgalaxy[.]com. Given the evolving nature of these threats, organizations must adapt their security measures accordingly.
How to Protect Yourself
To defend against Slopoly and similar threats, organizations should implement behavior-based detection methods. Traditional signature-based tools may not effectively identify AI-generated malware. IBM X-Force recommends several proactive measures:
- Disable the Win+R shortcut to prevent ClickFix attacks.
- Monitor the RunMRU registry key for unusual entries.
- Actively search for Hive0163-related indicators of compromise in your environment.
As cybercriminals continue to leverage AI for malicious purposes, it’s crucial for organizations to stay informed and adapt their defenses. The emergence of Slopoly is a wake-up call for the cybersecurity community, emphasizing the need for vigilance in the face of rapidly evolving threats.
Cyber Security News