Tuesday , July 14 2026
Hive0163

Hive0163 uses AI generated malware for persistent access

IBM X-Force reports that a money-driven threat group named Hive0163 used a probable AI-made malware called Slopoly in a ransomware attack in early 2026. IBM states that the malware allowed the attackers to maintain access to a hacked server for over a week during the later stage of the attack.

IBM says malware like Slopoly shows how bad actors can use AI to make new malware faster than older methods took.

Meta’s louisiana data center to exceed 250 billion price tag

Meta announced on Monday that its data center in Richland Parish, Louisiana, will grow to 5 gigawatts of computing power....
Read More
Meta’s louisiana data center to exceed 250 billion price tag

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

IBM connects the activities to Hive0163, a group linked to big data theft and ransomware. The company says the group used tools like NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware. In this case, Slopoly showed up later in the attack, which means the operators used it to maintain control after the first breach.

IBM found a PowerShell backdoor that seems to have been made with help from a big language model. There are many comments, detailed logs, good error handling, and neat variable names. The code calls itself a “Polymorphic C2 Persistence Client,” but IBM says the malware does not really act polymorphic and can’t change its own code while it runs.

Instead, Slopoly looks more like a practical backdoor built fast. IBM says it was likely generated through a builder that inserted fixed configuration values such as a session ID, mutex name, C2 URL, and beacon timings. The script reportedly lands in
C:\ProgramData\Microsoft\Windows\Runtime\
and creates persistence through a scheduled task named “Runtime Broker.”

Once active, Slopoly gathers basic system info, sends a signal to its command server every 30 seconds, looks for new commands every 50 seconds, runs those commands using cmd.exe, and sends the results back to the attackers.
cmd.exe
, and sends the results back to the attackers. IBM says it also keeps a local log file named
persistence.log
, which rolls over once it hits 1 MB.

IBM says the attack started with a ClickFix social engineering trick. In this method, people are fooled into copying a bad PowerShell command into the Windows Run box. IBM explains that this step installed NodeSnake, a type of malware based on NodeJS, which then helped bring in a bigger system called the Interlock framework, including Slopoly.

This case matters for two reasons. First, it proves that attackers don’t need fancy AI malware to use generative tools. Second, it aligns with IBM’s alert that AI is helping attackers work faster, even with simple code. IBM’s 2026 X-Force Threat Intelligence Index says companies should get ready for faster, larger, and more automated attacks through common entry points.

What IBM says Slopoly does

Capability IBM’s finding
Malware type PowerShell backdoor and likely client component of a new C2 framework
Suspected developer aid Likely generated with help from a large language model
Persistence Scheduled task named “Runtime Broker”
Install path C:\ProgramData\Microsoft\Windows\Runtime\
Beacon interval Every 30 seconds
Command polling Every 50 seconds
Command execution Viacmd.exe
Local logging persistence.logwith rollover at 1 MB

Key takeaway
Slopoly does not represent a leap in malware sophistication. It represents a drop in the effort required to build and field custom tooling during an attack.

That change could be important. If lesser-skilled hackers can create useful backdoors quicker, defenders might deal with more special malware, faster updates, and tougher tracking even if the code seems normal. IBM states this is just the start of a bigger competition between attackers and defenders using AI.

Check Also

5

TP-Link alerts users to patch router auth bypass vulnerability

TP-Link fixed some security flaws in its Archer NX routers. CVE-2025-15517 is a security flaw …