IBM X-Force researchers have traced Hive0163’s ransomware activity to an AI-assisted malware dubbed Slopoly, used to maintain persistent access during attacks. The group, described as financially motivated and focused on post‑compromise activity, is linked to a network of malware developers and operators such as Broomstick, Supper, PortStarter, SystemBC, and Rhysida ransomware, with several subclusters sharing crypters, frameworks and variants.
Slopoly was uncovered during a ransomware investigation and is described as a PowerShell backdoor that may have been generated with a large language model, acting as a C2 client that collects system data and sends heartbeat beacons while executing commands and sustaining persistence via a scheduled task. The Windows Interlock ransomware payload, deployed by the framework, uses AES-GCM per-file encryption with RSA-protected session keys and can encrypt directories or files and delete itself, leaving a ransom note.
The report notes that NodeSnake serves as the first stage of the Hive0163 C2 framework, enabling further payloads such as InterlockRAT to extend access and movement within networks.