Experts have identified Slopoly, a suspected AI-generated malware framework utilized by a financially motivated threat actor known as Hive0163 to maintain persistence in compromised networks. While the script lacks true polymorphic capabilities, its structured design highlights how attackers are leveraging large language models to rapidly develop functional malicious tools for data exfiltration and extortion.
Security researchers recently uncovered a new malware strain called Slopoly, which is being deployed by an e-crime group designated as Hive0163. This threat actor is primarily driven by financial gain, focusing its efforts on large-scale data theft and the deployment of ransomware. The discovery of this specific tool marks a shift in the group’s arsenal, which already includes a variety of specialized loaders and remote access trojans used to compromise corporate targets.
During a ransomware investigation conducted in early 2026, analysts observed Slopoly being used during the post-exploitation phase of an attack. The malware was specifically tasked with maintaining a steady connection to a compromised server, allowing the attackers to remain embedded within the victim's infrastructure for over a week. This persistent access is a critical component of Hive0163’s strategy, providing the necessary window to identify and siphon off sensitive data before initiating encryption.
The technical execution of the malware involves a PowerShell script typically hidden within the Windows runtime folders. To ensure it remains active even after a system reboot, the script creates a scheduled task disguised under a legitimate-sounding name. Analysis of the code reveals hallmarks of AI generation, such as unusually thorough documentation, consistent error handling, and descriptive variable names that are often absent in manually written malware. These features suggest the creators used a large language model to streamline the development process.
Despite being labeled as a polymorphic persistence client in its own comments, the malware does not actually change its own code during execution. Researchers pointed out that the script is relatively straightforward and lacks advanced obfuscation techniques. Any variation in the malware likely comes from a builder tool that randomizes configuration values or function names during the initial creation phase, a common practice that helps evade basic signature-based detection but does not constitute true polymorphism.
In practice, Slopoly operates as a functional backdoor that communicates with a command-and-control server at regular intervals. It sends heartbeat messages containing detailed system information every thirty seconds and checks for new instructions shortly thereafter. Once it receives a command, it executes the task via the system command prompt and sends the output back to the attackers. While the specific commands issued in recent attacks remain unknown, the tool provides a reliable pipeline for remote execution and further network exploitation.
Source: Hive0163 Deploys AI-Assisted Slopoly Malware For Persistent Ransomware Access