Slopoly: The First “AI-Written” Malware That Reached Production

Evil_AI1024×1024 149 KB

Yesterday IBM X-Force published a report that made waves in the security community: they discovered a backdoor used in a real ransomware attack, and researchers determined that the code was generated, almost certainly, by a language model.

They called it Slopoly. And while technically it’s not particularly sophisticated, what it represents is.

What is Slopoly

Slopoly is a C2 (command-and-control) backdoor that was deployed by a cybercrime group tracked as Hive0163 during a ransomware attack in early 2026. The group managed to maintain persistent access to a compromised server for more than a week using this malware.

Why did researchers determine it was AI-generated? Because the code has characteristics that are unusual in malware developed by humans:

• Extensive and detailed comments throughout the code
• Structured logging with clear messages at each step
• Consistent error handling across all functions
• Variables with descriptive names that clearly communicate the malicious intent of the script

That last point is important: variable names don’t attempt to obfuscate the code’s purpose. The model generated the script as if it were a legitimate project, with clarity and best practices — including the fact that it was explicitly designed for malicious purposes, indicating that any guardrails of the model were successfully bypassed.

IBM X-Force couldn’t determine which model was used. Based on code quality, they suggest it was a less advanced model.

How it works technically

Slopoly was deployed as a PowerShell script in the path C:\ProgramData\Microsoft\Windows\Runtime\, establishing persistence through a scheduled task called “Runtime Broker” (mimicking a legitimate Windows process).

The framework has implementations in multiple languages — PowerShell, PHP, C/C++, Java, and JavaScript — with support for both Windows and Linux.

Main capabilities:

Slopoly C2 Framework
├── Communication with remote server to receive commands
├── Launch a SOCKS5 proxy tunnel
├── Spawn reverse shell on the infected machine
└── Delivery of additional payloads (Interlock ransomware, NodeSnake)

The attack began with a ClickFix tactic — a social engineering technique where users are tricked into executing malicious commands in PowerShell thinking they’re “solving a problem”. Slopoly was deployed during the post-exploitation phase, suggesting the group used it in a “live-fire exercise” mode: testing the tool in a real attack.

Who is Hive0163

Hive0163 is a financially-motivated cybercrime group whose main operation is extortion through massive data exfiltration and ransomware. Their arsenal includes tools such as:

• NodeSnake — multi-language backdoor similar to Slopoly
• Interlock RAT — remote access trojan
• JunkFiction loader — malware loader
• Interlock ransomware — the final payload of their attacks

IBM also points out possible links with Rhysida ransomware operators and other malware families such as Broomstick, SocksShell, PortStarter, and SystemBC.

For initial access, the group uses ClickFix, malvertising, and initial access brokers such as TA569 (SocGholish) and TAG-124 (KongTuke).

Why this matters — beyond the malware itself

IBM X-Force’s report makes it clear: Slopoly is not technically impressive. It’s not polymorphic, it doesn’t have advanced sandbox evasion, it doesn’t do anything an experienced programmer couldn’t do in a day.

The point is different: what used to take days or weeks of development can now be done in hours or minutes.

The democratization of malware development is the real problem. A threat operator who doesn’t know how to code can now describe what they need and get a functional framework. The barrier to entry is crumbling.

IBM X-Force categorizes it as “AI-driven malware development” — distinct from “agentic AI” that executes attacks autonomously. But they call it the beginning of an emerging phase, not the peak.

Slopoly is not the only case. The report also mentions VoidLink and PromptSpy as other examples of malware with clear indicators of AI generation. Palo Alto’s Unit 42 also published similar observations in their 2026 Global Incident Response Report.

The implications for devs building systems

If you’re building applications or infrastructure, this has practical implications:

1. The speed of custom malware creation is accelerating.
Before, generic malware could be detected with signatures. Custom malware required resources that few groups had. AI is blurring that difference. Malware that evades your specific signatures is now within reach of more actors.

2. Signature-based detection is losing ground.
If code changes with each generation, signature-based detection becomes less effective. Detection systems based on behavior (what the malware does, not how it looks) become more critical.

3. ClickFix and social engineering remain the real vector.
Slopoly didn’t exploit any exotic technical vulnerability. It got in because a user ran a command in PowerShell. The weakest link remains the same.

4. Your AI dependencies are also an attack surface.
IBM mentions that malware was found stealing secrets from OpenClaw (an AI framework). If your app uses AI models or tools and has access to sensitive data, that chain is an attack surface that needs protection.

What IBM says about the future

The X-Force analysis ends with a warning worth reading in full:

“This represents only the initial phase of an emerging arms race between adversarial AI and defenders.”

It’s not alarmism. It’s a fairly sober description of what’s happening: attackers are adopting AI to accelerate their operational capacity, and the defensive side is in the process of catching up.

The good news: behavior-based detection, security systems with their own AI, and social engineering education remain effective defenses. AI-generated malware still needs entry vectors that are preventable.

For LatAm devs: concrete checklist

Slopoly used ClickFix as an entry vector — tricking a user into running a command in PowerShell. Here are the most concrete things you can do today:

• Review PowerShell policies in your infrastructure — execution policy, script logging
• Train your team to recognize ClickFix and similar social engineering techniques
• Update your detection tools with Indicators of Compromise (IoCs) from Hive0163
• Review scheduled task access on Windows servers — Slopoly hides as “Runtime Broker”
• Implement behavior-based detection in addition to static signatures
• Audit your secrets and environment variables — if you use AI tools with infrastructure access, those credentials are targets

The full IBM X-Force report is available at A Slopoly start to AI-enhanced ransomware attacks | IBM.

The race between attackers and defenders with AI is starting. Slopoly is the first notable documented case, but it won’t be the last. Do you already have visibility into anomalous behaviors in your systems? Do you use behavior-based detection? Share in the comments — this is the kind of conversation worth having before Slopoly V2 appears.