AI-Generated Slopoly Malware Detected in Ransomware Attack Targeting Corporate Systems

Cybersecurity researchers have discovered a new malware strain called Slopoly, believed to have been developed using artificial intelligence tools and deployed during a ransomware attack.

The malicious software allowed attackers to remain inside a compromised system for more than a week, quietly collecting and transferring sensitive data before launching further stages of the attack.

The malware was identified by researchers at IBM X-Force during an investigation into a ransomware campaign associated with the Interlock ransomware operation.

AI-Generated Malware ‘Slopoly’ Detected by Researchers

According to cybersecurity analysts, Slopoly is a previously unknown malware backdoor that appears to have been partially generated using generative AI tools.

The malware enabled attackers to maintain persistent access to the targeted server while monitoring system activity and extracting valuable data.

Although researchers found strong indications that artificial intelligence was used during development, they said it was not possible to identify which specific AI model generated the code.

Attack Began With ClickFix Social Engineering Technique

The cyberattack reportedly began with a social engineering method known as ClickFix.

Through this technique, attackers trick victims into executing malicious commands that give them initial access to the system.

Once inside the network, attackers deployed multiple malicious components as part of a broader ransomware campaign.

In the later stage of the attack, the Slopoly malware was installed as a PowerShell-based backdoor, allowing remote command execution from attacker-controlled infrastructure.

Researchers linked the activity to a financially motivated cybercriminal group identified as Hive0163, which is known for ransomware-driven extortion operations.

Indicators of AI-Assisted Malware Development

While analyzing the malware code, investigators noticed several unusual features suggesting AI-assisted development, including:

• Extensive inline code comments

• Structured logging functions

• Detailed error-handling mechanisms

• Clearly labelled variables

These characteristics are more commonly seen in AI-generated or AI-assisted code than in traditional manually written malware.

Despite these indicators, researchers noted that the malware itself remained relatively simple in functionality.

Although the code described Slopoly as a “Polymorphic C2 Persistence Client,” investigators found no evidence that it could automatically modify its own code during execution.

Instead, it appears to have been generated using a builder framework capable of producing multiple variants with different configuration values.

Malware Maintained Persistent System Access

The Slopoly malware was deployed in the directory:

It established persistence by creating a scheduled task named “Runtime Broker.”

Once activated, the malware performed several operational functions, including:

• Collecting system information

• Sending periodic heartbeat signals to remote servers

• Receiving commands from command-and-control infrastructure

• Executing system commands through the Windows command interpreter

• Sending command output back to attackers

The malware also maintained rotating log files and could download additional malicious payloads such as:

• Executable files (.exe)

• Dynamic-link libraries (.dll)

• JavaScript scripts

Part of Larger Interlock Ransomware Infrastructure

The Slopoly backdoor was only one component of a broader cyberattack linked to the Interlock ransomware campaign, which first emerged in 2024.

Researchers observed that attackers also deployed additional malware tools, including:

• NodeSnake backdoor

• InterlockRAT remote access tool

The ransomware payload itself was delivered through the JunkFiction loader, which allowed attackers to execute the malware with SYSTEM-level privileges.

Once activated, the ransomware encrypted files on the compromised system and appended extensions such as:

• . !NT3RLOCK

• .int3Rlock

High-Profile Targets Previously Linked to the Group

Investigators say the threat group behind the operation has previously claimed responsibility for cyberattacks targeting several organisations, including:

• Texas Tech University System

• DaVita

• Kettering Health

• Saint Paul, Minnesota city administration

The group is also believed to have connections with developers linked to other malware and ransomware projects such as Broomstick, SocksShell, PortStarter, SystemBC, and Rhysida ransomware.

AI Accelerating Modern Cybercrime

Researchers say the discovery of Slopoly highlights a growing trend: cybercriminals are increasingly using artificial intelligence tools to accelerate malware development.

While AI-generated code may not always be sophisticated, it allows attackers to quickly produce customised malware variants, potentially increasing the scale and speed of ransomware campaigns.

Cybersecurity experts warn that organisations must strengthen monitoring systems, apply regular security updates, and maintain robust incident-response strategies to defend against the next generation of AI-assisted cyber threats.