InfoSecBulletin Cybersecurity for mankind
IBM X-Force reports that a money-driven threat group named Hive0163 used a probable AI-made malware called Slopoly in a ransomware attack in early 2026. IBM states that the malware allowed the attackers to maintain access to a hacked server for over a week during the later stage of the attack.
IBM says malware like Slopoly shows how bad actors can use AI to make new malware faster than older methods took.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
IBM connects the activities to Hive0163, a group linked to big data theft and ransomware. The company says the group used tools like NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware. In this case, Slopoly showed up later in the attack, which means the operators used it to maintain control after the first breach.
IBM found a PowerShell backdoor that seems to have been made with help from a big language model. There are many comments, detailed logs, good error handling, and neat variable names. The code calls itself a “Polymorphic C2 Persistence Client,” but IBM says the malware does not really act polymorphic and can’t change its own code while it runs.
Instead, Slopoly looks more like a practical backdoor built fast. IBM says it was likely generated through a builder that inserted fixed configuration values such as a session ID, mutex name, C2 URL, and beacon timings. The script reportedly lands in
C:\ProgramData\Microsoft\Windows\Runtime\
and creates persistence through a scheduled task named “Runtime Broker.”
Once active, Slopoly gathers basic system info, sends a signal to its command server every 30 seconds, looks for new commands every 50 seconds, runs those commands using cmd.exe, and sends the results back to the attackers.
cmd.exe
, and sends the results back to the attackers. IBM says it also keeps a local log file named
persistence.log
, which rolls over once it hits 1 MB.
IBM says the attack started with a ClickFix social engineering trick. In this method, people are fooled into copying a bad PowerShell command into the Windows Run box. IBM explains that this step installed NodeSnake, a type of malware based on NodeJS, which then helped bring in a bigger system called the Interlock framework, including Slopoly.
This case matters for two reasons. First, it proves that attackers don’t need fancy AI malware to use generative tools. Second, it aligns with IBM’s alert that AI is helping attackers work faster, even with simple code. IBM’s 2026 X-Force Threat Intelligence Index says companies should get ready for faster, larger, and more automated attacks through common entry points.
What IBM says Slopoly does
| Capability | IBM’s finding |
|---|---|
| Malware type | PowerShell backdoor and likely client component of a new C2 framework |
| Suspected developer aid | Likely generated with help from a large language model |
| Persistence | Scheduled task named “Runtime Broker” |
| Install path | C:\ProgramData\Microsoft\Windows\Runtime\ |
| Beacon interval | Every 30 seconds |
| Command polling | Every 50 seconds |
| Command execution | Viacmd.exe |
| Local logging | persistence.logwith rollover at 1 MB |
Key takeaway
Slopoly does not represent a leap in malware sophistication. It represents a drop in the effort required to build and field custom tooling during an attack.
That change could be important. If lesser-skilled hackers can create useful backdoors quicker, defenders might deal with more special malware, faster updates, and tougher tracking even if the code seems normal. IBM states this is just the start of a bigger competition between attackers and defenders using AI.
