Hive0163 Ransomware Group Deploys Slopoly: First Confirmed LLM-Generated C2 Framework Used in Live Ransomware Attack
Date: 2026-04-02
TLP: TLP:CLEAR
Tags: ransomware, ai-generated-malware, c2, llm-malware, hive0163
Executive Summary
IBM X-Force discovered 'Slopoly', a likely LLM-generated PowerShell backdoor deployed by the Hive0163 ransomware group during a live intrusion in early 2026, marking the first confirmed use of AI-generated malware in an active ransomware engagement by a financially motivated threat actor. The malware maintained persistent access to a compromised server for over a week before Interlock ransomware was deployed. Defenders should hunt for scheduled tasks named 'Runtime Broker' under C:\ProgramData\Microsoft\Windows\Runtime\ and block connections to the identified C2 infrastructure; the entry vector was ClickFix social engineering, requiring enhanced employee awareness.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Slopoly / Hive0163 Ransomware Intrusion |
| Attribution | Hive0163 (confidence: high) |
| Target | Enterprise organizations; financially motivated extortion via data exfiltration and Interlock ransomware |
| Vector | ClickFix social engineering (fake CAPTCHA page instructing victim to paste malicious PowerShell into Win+R dialog); followed by malvertising and initial access broker partnerships |
| Status | active |
| First Observed | 2026-Q1 |
Detailed Findings
According to IBM X-Force, in early 2026 researchers identified 'Slopoly' during a live ransomware incident response engagement. The malware is a PowerShell script that functions as the client component of a custom command-and-control (C2) framework. Strong indicators of LLM-assisted generation include extensive inline comments, consistent error handling, verbose logging, and descriptive variable names — including comments labeling it a 'Polymorphic C2 Persistence Client' despite lacking any actual polymorphic behavior at runtime.
IBM X-Force attributed the broader intrusion to Hive0163, a financially motivated cluster associated with Interlock ransomware, NodeSnake, InterlockRAT, and JunkFiction loader. The intrusion chain documented by X-Force began with a ClickFix attack, where the victim was presented with a fake CAPTCHA-like verification page instructing them to press Win+R, paste a malicious command from the clipboard, and hit Enter — executing the initial PowerShell stager without realizing it.
According to IBM's analysis, Slopoly was dropped to C:\ProgramData\Microsoft\Windows\Runtime\ and persisted via a scheduled task named 'Runtime Broker', a legitimate-sounding name used to blend with genuine Windows processes. The script sends periodic JSON heartbeat beacons to its C2 server, receives commands over HTTP via cmd.exe, and logs activity to persistence.log.
The C2 server was hosted at plurfestivalgalaxy[.]com (94.156.181[.]89), which displayed a login panel during its active period. Additional C2 IPs identified by IBM include 77.42.75[.]119, 23.227.203[.]123, and 172.86.68[.]64. X-Force noted it could not determine which specific LLM generated Slopoly, but assessed the code quality suggests a less advanced model.
IBM and The Hacker News confirmed that Slopoly was deployed late in the intrusion chain — after NodeSnake and InterlockRAT had already established persistence — suggesting the group was conducting a live-fire test of its AI-generated framework. Interlock ransomware was subsequently deployed, encrypting files with AES-GCM per-file session keys protected by RSA, appending a custom extension and leaving ransom notes (FIRST_READ_ME.txt).
IBM X-Force assessed this represents 'only the initial phase of an emerging arms race,' with future stages including agentic AI and AI-integrated malware that can make autonomous decisions throughout the attack chain. Security Affairs noted IBM's report explicitly references PROMPTFLUX, PromptSpy, and VoidLink as early examples of this second-stage evolution already observed in isolated cases.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| User Execution: Malicious Link | T1204.001 | ClickFix social engineering tricks victims into manually pasting and executing malicious PowerShell via the Windows Run dialog, bypassing traditional email gateway detections. |
| Scheduled Task/Job: Scheduled Task | T1053.005 | Slopoly persists via a scheduled task named 'Runtime Broker' under C:\ProgramData\Microsoft\Windows\Runtime\ to mimic legitimate Windows process names. |
| Command and Control: Application Layer Protocol: Web Protocols | T1071.001 | Slopoly beacons to its C2 server via HTTP POST, sending JSON heartbeat data and receiving commands to execute via cmd.exe. |
| Data Encrypted for Impact | T1486 | Interlock ransomware deployed in final stage uses AES-GCM per-file encryption with RSA-protected session keys, leaving FIRST_READ_ME.txt ransom notes. |
| Obfuscated Files or Information | T1027 | Slopoly and associated malware use LLM-generated code with plausible variable names and comments to evade signature-based detection; code style avoids patterns that trigger static analysis. |
IOCs
Domains
plurfestivalgalaxy.comFull URL Paths
_IOCs sourced from CyberSecurityNews (https://cybersecuritynews.com/ibm-uncovers-slopoly-likely-ai-generated-malware/) and GBHackers (https://gbhackers.com/ai-generated-malware/) reporting on the IBM X-Force blog (https://www.ibm.com/think/x-force/slopoly-start-ai-enhanced-ransomware-attacks). C2 domain plurfestivalgalaxy[.]com reported as no longer active. Associated Hive0163 infrastructure also includes Cloudflare tunnel domains used for NodeSnake and InterlockRAT C2 (specific tunnel domains not published by IBM)._
Splunk Format
"plurfestivalgalaxy.com"Detection Recommendations
- EDR: Hunt for scheduled tasks named 'Runtime Broker' created under C:\ProgramData\Microsoft\Windows\Runtime\ (non-standard path for this process name); flag PowerShell scripts dropped to C:\ProgramData subdirectories with a 'persistence.log' write pattern. 2. SIEM: Alert on RunMRU registry key (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU) modifications, an indicator of Win+R ClickFix execution. 3. Network: Block outbound HTTP/HTTPS to 94.156.181.89, 77.42.75.119, 23.227.203.123, 172.86.68.64 at the perimeter firewall; flag plurfestivalgalaxy.com in DNS logs (though domain is reportedly inactive). 4. Email/Web Proxy: Implement ClickFix detection rules — flag pages containing clipboard-write JavaScript combined with instructions referencing 'Win+R', 'cmd', or 'PowerShell'. 5. AzCopy: Alert on AzCopy execution from non-standard directories, a Hive0163 exfiltration indicator; similarly flag Advanced IP Scanner execution in non-IT subnets.
References
- [IBM X-Force] A Slopoly start to AI-enhanced ransomware attacks (2026-03-13) — https://www.ibm.com/think/x-force/slopoly-start-ai-enhanced-ransomware-attacks
- [The Hacker News] Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks (2026-03-13) — https://thehackernews.com/2026/03/hive0163-uses-ai-assisted-slopoly.html
- [CyberSecurityNews] IBM Uncovers 'Slopoly,' Likely AI-Generated Malware Used in Hive0163 Ransomware Attack (2026-03-13) — https://cybersecuritynews.com/ibm-uncovers-slopoly-likely-ai-generated-malware/
- [Security Affairs] AI-assisted Slopoly malware powers Hive0163's ransomware campaigns (2026-03-13) — https://securityaffairs.com/189378/malware/ai-assisted-slopoly-malware-powers-hive0163s-ransomware-campaigns.html
- [IT Brew] AI-generated malware off to a sloppy start for ransomware actors, IBM says (2026-03-16) — https://www.itbrew.com/stories/2026/03/16/ai-generated-malware-off-to-a-sloppy-start-for-ransomware-actors-ibm-says