Cybersecurity researchers disclosed a suspected AI-generated PowerShell backdoor called Slopoly used by the financially motivated group Hive0163 in early 2026, with the backdoor maintaining persistence on a compromised server for more than a week.
KEY FACTS
- Incident Ransomware post-exploitation
- Malware PowerShell backdoor that beacons to a C2 server
- Actor Hive0163
- Persistence Scheduled task named “Runtime Broker” observed for over a week
A technical analysis by IBM X-Force states researchers identified Slopoly and flagged code features that suggest assistance from a large language model.
Slopoly appears as a PowerShell script likely produced by a builder that also set up a scheduled task called “Runtime Broker” to preserve access.
The script sends a heartbeat with system information every 30 seconds, polls for commands every 50 seconds, executes them through cmd.exe and returns the output to the command server.
The observed attack chain used a ClickFix social engineering lure to run a PowerShell command that downloaded NodeSnake, which then retrieved an Interlock RAT and later delivered Slopoly.
The framework has implementations in PowerShell, PHP, C, Java and JavaScript to support Windows and Linux and can open a SOCKS5 proxy, spawn reverse shells and deliver ransomware.
WHY IT MATTERS
AI-assisted code can reduce the time needed to develop new malware frameworks, enabling criminal groups to scale tooling and operations more quickly even when the resulting code is not technically advanced.