Hive0163 Uses AI-Generated Slo Poly Backdoor for Persistent Access

Hive0163, a financially motivated ransomware group, deployed an AI-assisted backdoor called Slo Poly to maintain persistent access on a compromised server for more than a week, security researchers said.

Researchers who examined the malware samples reported that Slo Poly appears to be produced with help from a large language model. The code contains extensive comments, descriptive variable names, and robust logging and error handling that suggest an AI-assisted authoring process. Those analysts noted the builder used to produce Slo Poly creates multiple variants with randomized configuration and function names, but the malware does not include true self-modifying polymorphism.

Technically, Slo Poly behaves as a backdoor. It establishes persistence via a scheduled task named “Runtime Broker” and is initialized through a PowerShell script, according to the analysts.

The backdoor sends a heartbeat to a command-and-control server roughly every 30 seconds, polls for new commands about every 50 seconds, and executes received instructions through cmd.exe. The group used Slo Poly during post-exploitation to keep footholds active while other tools were staged.

Hive0163’s larger toolkit, researchers said, includes loaders and remote access tools such as Node Snake, Interlock Rat, Junk Fiction Loader, and the Interlock Ransomware family. Node Snake has been described as a first-stage loader that establishes persistence, retrieves Interlock Rat, and then deploys additional payloads including Slo Poly and the ransomware component. The actor supports multiple platforms with implementations in PowerShell, PHP, C/C++, Java, and JavaScript.

For initial access, analysts reported Hive0163 uses social engineering lures that trick victims into running malicious PowerShell commands, along with malvertising and services of initial access brokers. The activity has ties to known access brokering behavior associated with TA569, often referred to as SocGholish, and TAG-124, linked in reporting to techniques called Kong Tuke or Land Update 808.

Observers are flagging this case as part of a broader trend of AI-assisted malware development. IBM X-Force noted that while “AI malware is not technically advanced, it lowers barriers to entry for cybercriminals.” Security teams warn that generative AI can speed development and enable less-skilled actors to assemble functional malware frameworks more quickly.

Despite its AI-assisted origin, Slo Poly remains detectable for now, analysts said. Its defenses rely on randomized configurations rather than dynamic code transformation, making behavioral detection, logging, and threat hunting effective mitigations. Researchers urge organizations to harden endpoint controls, monitor for anomalous scheduled tasks and PowerShell activity, and use behavioral analytics to spot beaconing and command polling patterns.

Hive0163’s use of Slo Poly highlights how generative AI is changing the pace and scale of cybercrime. Security teams and defenders should treat AI-assisted toolkits as an operational risk that amplifies existing ransomware and extortion threats, researchers concluded.

#Ransomware #AIMalware #Cybersecurity #ThreatIntel