Cybersecurity researchers have disclosed details of a suspected artificial intelligence (AI)-generated malware codenamed Slopoly put to use by a financially motivated threat actor named Hive0163.
"Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take
Hive0163's operations are driven by extortion through large-scale data exfiltration and ransomware.
The e-crime group is primarily associated with a wide range of malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware.
In one ransomware attack observed by the company in early 2026, the threat actor was observed deploying Slopoly during the post-exploitation phase so as to maintain persistent access to the compromised server for more than a week.
Slopoly's discovery can be traced back to a PowerShell script that's likely deployed into the "C:\ProgramData\Microsoft\Windows\Runtime\" folder by means of a builder.
Persistence is achieved by setting up a scheduled task called "Runtime Broker."
There are signs that the malware was developed with the help of an as-yet-undetermined large language model (LLM).