A new malware strain dubbed Slopoly, likely created using generative AI tools, allowed a threat actor to remain on a compromised server for more than a week and steal data in an Interlock ransomware attack.

The breach started with a ClickFix ruse, and in later stages of the attack, the hackers deployed the Slopoly backdoor as a PowerShell script acting as a client for the command-and-control (C2) framework.

IBM X-Force researchers analyzed the script and found strong indicators that it was created using a large language model (LLM), but could not determine which one.

Evidence pointing to AI-assisted development includes extensive commentary in the code, structured logging, error handling, and clearly named variables. All this is rare in human-developed malware.

They attributed the attack to a financially motivated group they track as Hive0163, "whose main objective is extortion through large-scale data exfiltration and ransomware."

According to the researchers, Slopoly is rather unsophisticated, although its deployment in ransomware operators' attack chains indicates that AI tools are actively used to accelerate custom malware development, which can help evade detection.

Although comments in the Slopoly script describe it as a “Polymorphic C2 Persistence Client,” IBM X-Force did not find any feature that would allow modifying its own code during execution.

“The script does not possess any advanced techniques and can hardly be considered polymorphic, since it's unable to modify its own code during execution,” reads the IBM report.

“The builder may, however, generate new clients with different randomized configuration values and function names, which is standard practice among malware builders.”

IBM X-Force researchers believe that Slopoly was generated by a builder that inserted configuration values, such as beaconing intervals, command-and-control addresses, mutex names, and session IDs.

The malware is deployed in C:\ProgramData\Microsoft\Windows\Runtime\, and its main functions include:

• Collecting system information
• Sending a heartbeat beacon every 30 seconds to /api/commands
• Polling for commands every 50 seconds
• Executing received commands via cmd.exe
• Sending command output back to the C2 server
• Maintaining a rotating persistence.log file
• Establishing persistence through a scheduled task named “Runtime Broker”

The commands it supports allow downloading and executing EXE, DLL, or JavaScript payloads; running shell commands and returning the results; changing beaconing intervals; updating itself; or exiting its own process.

The attack IBM observed started with a ClickFix social engineering flow, and deployed multiple malware components besides Slopoly, including the NodeSnake and InterlockRAT backdoors.

Interlock ransomware emerged in 2024 and was an early adopter of the ClickFix social engineering technique, and later also the FileFix variant.

The threat group has previously claimed attacks against high-profile organizations such as the Texas Tech University System, DaVita, Kettering Health, and the city of Saint Paul, Minnesota.

The Interlock ransomware payload observed in the attacks reported by IBM is a 64-bit Windows executable delivered via the JunkFiction loader.

It can execute as a scheduled task running as SYSTEM, and uses Windows Restart Manager API to release locked files, appending the ‘. !NT3RLOCK’ or ‘.int3R1Ock’ extensions on their encrypted copies.

IBM reports that Hive0163 may also have associations with the developers behind Broomstick, SocksShell, PortStarter, SystemBC, and the Rhysida ransomware operators.