CYBERSECURITY researchers have disclosed details of an AI-generated malware codenamed Slopoly used by a financially motivated threat actor named Hive0163, seen during a ransomware operation in early 2026.
The malware, described as an AI-assisted backdoor, was deployed in the post-exploitation phase to maintain persistent access to a compromised server for more than a week, with a PowerShell script that establishes persistence via a scheduled task called “Runtime Broker.” The same analysis notes that the PowerShell script functions as a backdoor that can beacon system information to a C2 server every 30 seconds and poll for new commands every 50 seconds, executing them via cmd[.]exe.
Slopoly’s builder appears to generate new clients with different configuration values and function names, suggesting malware-creation tooling, while the broader framework can deliver payloads such as Interlock ransomware alongside Slopoly. According to IBM X-Force, AI-generated malware does not introduce fundamentally new techniques but speeds up development and execution for threat actors. Slopoly’s discovery follows prior AI-assisted examples like VoidLink and PromptSpy, underscoring a trend toward AI-enabled malware development and scale.