IBM X-Force researchers have identified a new PowerShell-based backdoor named Slopoly, which they assess was very likely created with the help of generative artificial intelligence. The malware has been observed in multi-stage attacks delivering the Interlock ransomware, enabling threat actors to maintain stealthy access for more than a week, exfiltrate data, and then launch encryption and extortion.
AI-Generated Slopoly Backdoor: A New Type of PowerShell Malware
Slopoly is a PowerShell backdoor that operates as a client for a command-and-control (C2) framework. It is typically deployed in the later stages of an intrusion, once attackers already have a foothold, and is used to secure persistent remote access to compromised Windows systems.
IBM X-Force links this activity to the financially motivated group Hive0163, known for data theft, extortion and the use of multiple ransomware families. The Slopoly backdoor acts as a flexible transport mechanism for their broader toolset.
Code analysis revealed several hallmarks of large language model (LLM)-assisted development: well-structured and verbose comments, consistent error handling, clean logging, and clear, standardised variable names. Such engineering quality is uncommon in hastily written commodity malware and typically requires significantly more development time without automation.
Polymorphism Claims vs. Real Capabilities
Although internal comments describe Slopoly as a “Polymorphic C2 Persistence Client”, the script itself does not implement true polymorphic behaviour. It does not rewrite or mutate its own code at runtime.
Instead, the builder that generates Slopoly can randomise configuration values and function names, producing slightly different variants for each deployment. This basic variability can hinder simple signature-based detection, but does not amount to genuine polymorphic or metamorphic malware seen in more advanced threats.
Attack Chain: From ClickFix Social Engineering to Ransomware Deployment
The observed campaigns began with social engineering using a technique known as ClickFix. Victims were instructed to follow “fix” steps to resolve a supposed problem, ultimately tricking them into executing malicious code. Related methods, such as FileFix, similarly abuse users’ trust in troubleshooting instructions and support-like guidance.
After initial access, attackers deployed Slopoly to the path C:\ProgramData\Microsoft\Windows\Runtime\, a location designed to resemble legitimate Windows components. Persistence was achieved via a scheduled task named “Runtime Broker,” mirroring a genuine Windows process to avoid suspicion during manual checks.
Persistence and C2 Communication
Once running, Slopoly collects basic system information and maintains regular contact with its C2 infrastructure. It sends heartbeat requests approximately every 30 seconds and polls the C2 server for new commands roughly every 50 seconds.
Commands are executed via cmd.exe, and output is returned to the operators. Supported functionality includes:
- Downloading and executing EXE, DLL and JavaScript payloads
- Running arbitrary shell commands
- Adjusting C2 polling intervals
- Updating or replacing the backdoor
- Gracefully terminating its own process
This makes Slopoly a versatile staging tool that can deliver additional implants, credential theft utilities or ransomware.
Interlock Ransomware Ecosystem: C2 Tools and Loader Infrastructure
In the same victim environments, IBM X-Force observed other remote access tools, including NodeSnake and InterlockRAT. This layered C2 architecture improves resilience: if one channel is detected or blocked, the operators can pivot to alternatives.
The Interlock ransomware itself is distributed via a loader known as JunkFiction, delivered as a 64-bit Windows executable. Interlock can be launched through a scheduled task running with SYSTEM privileges, granting maximum access to files and services.
To maximise the impact of encryption, Interlock leverages the Windows Restart Manager API, which allows it to close or release file handles used by other processes. Once files are encrypted, their names are modified with extensions such as .!NT3RLOCK or .int3R1Ock, serving as both a compromise indicator and a recognisable “brand” for the ransomware.
Generative AI as an Enabler for Cybercriminal Operations
The Slopoly case illustrates a broader shift: generative AI lowers the barrier to entry for malware development. LLMs can produce structured, readable and logically consistent code, even when the underlying functionality is relatively simple. This boosts the quality of tools available to threat actors who might not have strong software engineering skills.
IBM X-Force also notes potential ties between Hive0163 and other malware projects, including Broomstick, SocksShell, PortStarter, SystemBC and operations related to the Rhysida ransomware. Such overlaps point to a mature, service-like ecosystem where AI-assisted tooling can be rapidly integrated and reused across campaigns.
Defensive Measures Against PowerShell Backdoors and Interlock Ransomware
The main risk posed by tools like Slopoly and Interlock is prolonged, undetected access, combined with data theft and delayed ransomware activation. Even if encryption is stopped, previously exfiltrated data enables “double extortion,” where attackers threaten to leak sensitive information.
To reduce exposure, organisations should strengthen controls across several areas:
- Security awareness training: educate users about ClickFix-style lures, fake troubleshooting pop‑ups and unsolicited instructions that request script execution or macro enabling. Industry reports such as the Verizon Data Breach Investigations Report consistently show social engineering among the top initial access vectors.
- PowerShell hardening: enforce AppLocker or Windows Defender Application Control (WDAC), enable Constrained Language Mode where possible, and centralise logging of PowerShell and script activity for continuous monitoring.
- Scheduled task and filesystem monitoring: regularly review new or modified tasks, especially those mimicking system components (for example, “Runtime Broker”), and inspect unusual paths like
C:\ProgramData\Microsoft\Windows\Runtime\. - EDR/XDR deployment: use modern endpoint and extended detection and response tools to flag frequent outbound beacons, suspicious
cmd.exeinvocations, and high‑volume file modifications typical of ransomware encryption. - Resilience measures: maintain tested backups, apply network segmentation, and keep operating systems and applications patched to limit lateral movement and reduce the blast radius of a breach.
The emergence of Slopoly and the Interlock ecosystem demonstrates that AI-generated malware has moved from theory to practice. By incorporating generative AI into threat models, tightening script and C2 monitoring, and investing in incident detection and response capabilities, organisations can significantly reduce the impact of such campaigns and improve their overall cyber resilience.
