Slopoly: AI‑Generated Malware in Ransomware Chains

March 13, 2026 Faeem BLOGS 0

IBM X‑Force researchers have uncovered a new malware strain dubbed Slopoly, likely created using generative AI tools, that was deployed in an Interlock ransomware attack. The case highlights how adversaries are beginning to leverage AI not for sophistication, but for speed and scalability in malware development.

How Slopoly Was Built

  • AI fingerprints: Extensive code commentary, structured logging, error handling, and clearly named variables — all signs of large language model (LLM) assistance.
  • Builder logic: Generates new clients with randomized configuration values (beacon intervals, C2 addresses, mutex names, session IDs).
  • Misleading label: Comments described it as a “Polymorphic C2 Persistence Client,” but IBM found no polymorphic features — the script cannot modify its own code during execution.

Slopoly’s Functions

Deployed as a PowerShell script in C:\ProgramData\Microsoft\Windows\Runtime\, Slopoly acts as a command‑and‑control client:

  • Collects system information.
  • Sends heartbeat beacons every 30 seconds.
  • Polls /api/commands every 50 seconds.
  • Executes commands via cmd.exe and returns output.
  • Maintains persistence through a scheduled task named Runtime Broker.
  • Supports commands to download and execute EXE/DLL/JS payloads, run shell commands, change beacon intervals, update itself, or exit.

The Attack Chain

  • Initial access: ClickFix social engineering ruse.
  • Malware deployment: Slopoly backdoor plus other components like NodeSnake and InterlockRAT.
  • Ransomware payload: Delivered via the JunkFiction loader, running as SYSTEM through scheduled tasks.
  • Encryption behavior: Uses Windows Restart Manager API to release locked files, appending . !NT3RLOCK or .int3R1Ock extensions.

Attribution

  • Attack linked to Hive0163, a financially motivated group focused on extortion through data exfiltration and ransomware.
  • Hive0163 has claimed attacks against high‑profile organizations including Texas Tech University System, DaVita, Kettering Health, and the city of Saint Paul, Minnesota.
  • Possible associations with developers behind Broomstick, SocksShell, PortStarter, SystemBC, and Rhysida ransomware.

Why It Matters

  • AI acceleration: Even unsophisticated malware can be mass‑produced quickly using generative AI, lowering barriers for threat actors.
  • Operational risk: AI‑generated malware may evade detection simply by producing endless variants with randomized configurations.
  • Future threat: As AI tools become more accessible, ransomware groups will increasingly use them to scale attacks, not necessarily to innovate.

Final Thought

Slopoly demonstrates a new reality: AI doesn’t need to create advanced malware to be dangerous. By accelerating development and enabling rapid customization, generative AI empowers ransomware operators to iterate faster and deploy more persistent campaigns. For defenders, the lesson is clear: speed of detection and response must match the speed of AI‑driven malware creation.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.