Cyber criminals observed using AI-generated malware in ransomware attacks

Security researchers at IBM recently discovered a cyber criminal group using AI-generated malware during a ransomware attack, signalling a fundamental shift in the dynamics of the threat landscape.

 

IBM X-Force, the technology giant’s threat intelligence and cyber security arm, said it discovered in early 2026 that a cyber criminal cluster, tracked as Hive0163, likely used an artificial intelligence-generated malware during a ransomware attack. 

 

Hive0163 is known in cyber security circles as a cluster of threat actors that conducts major ransomware attacks using the Interlock ransomware for financial gain. The cluster has also been observed using private crypters and backdoor malware such as NodeSnake, InterlockRAT and JunkFiction loader in the past during ransomware operations.

 

Researchers at IBM X-Force said they recently encountered a likely AI-generated malware when analysing a ransomware attack carried out by hackers associated with Hive0163. Dubbed Slopoly, the malware was likely generated and deployed to enable its operators to maintain persistent access to an infected server.

 

The malware appeared in the form of a PowerShell script which was a component of a novel command and control framework deployed in the Windows Runtime folder and which established persistence through a scheduled task called "Runtime Broker."

 

The malware, though not advanced, was likely developed by a large language model. According to IMB X-Force researchers, Slopoly showed tell-tale signs of AI-generated software with its code containing comments, logging, error handling and accurately named variables. 

 

"The use of several additional backdoors during the intrusion, and the fact that Slopoly was deployed during the later stages of the attack indicate that the threat actor likely used the C2 framework in a manner similar to a live-fire exercise style," the researchers said. "Hive0163 used Slopoly to maintain persistent access to the infected server for more than a week."

 

They warned that the emergence of Slopoly signalled a fundamental shift in the dynamics of the malware threat landscape as cyber criminals are likely to use rapidly-advancing large language models to develop malware in large numbers at a fraction of the cost of software development. 

 

They said that AI-generated malware may not bring noticeable upgrades in terms of malware sophistication in the near future, but adversarial use of AI is expected to act as a force multiplier for attackers as they may deploy malware at scale and modify them to make them more effective.

 

"AI-generated malware is only the first stage in a new arms race between defenders and attackers," IBM X-Force said. "The second stage is the use of agentic AI, and AI-integrated malware, which allow models to make decisions during all phases of the attack chain or during development and testing of advanced C2 frameworks. 

 

"Similarly to the first stage of AI adoption, threat actors will integrate these into their attacks at varying timelines. While Hive0163 may still be in an early phase of AI adoption, the future potential of state-of-the-art AI technologies in the hands of an already highly disruptive threat actor poses an imminent risk to defenders."