IBM links likely AI-generated Slopoly malware to Interlock ransomware attack

IBM X-Force says a new malware strain called Slopoly was used during an Interlock ransomware intrusion, where it helped attackers keep access to a compromised server for more than a week and support data theft. The company describes Slopoly as a likely AI-generated PowerShell backdoor, but stops short of claiming proof about which model created it.

That distinction matters. The strongest confirmed claim here is not that AI wrote the malware with certainty, but that the script shows strong signs of large language model-assisted development. IBM points to traits such as extensive comments, structured logging, error handling, clearly named variables, and unused code that resembles iterative AI-assisted output.

IBM attributes the intrusion to a financially motivated cluster it tracks as Hive0163, which it says has deployed Interlock ransomware in major attacks. According to IBM, the group used Slopoly late in the attack chain after an initial ClickFix social engineering lure, alongside other malware including NodeSnake, InterlockRAT, JunkFiction, and the Interlock ransomware payload itself.

What IBM says Slopoly did

These technical details come from IBM’s analysis of the PowerShell script used in the incident. IBM says the malware was likely generated by a builder that inserted static configuration values such as session IDs, mutex names, command-and-control addresses, and beacon intervals.

Why the “AI-generated” label needs care

IBM’s report does not claim that Slopoly is advanced because of AI. In fact, the company says the script is “mediocre at best” from a technical standpoint and lacks the self-modifying behavior suggested by its own “polymorphic” label. IBM also says it could not determine which model was used, though it believes the quality suggests a less advanced one.

So the real story is not that AI suddenly created elite malware. It is that AI may have helped attackers build custom malware faster and with less effort. IBM frames this as an early sign that threat actors can now produce workable tools more quickly, even if those tools are not especially sophisticated.

Attack chain at a glance

• Initial access came through a ClickFix social engineering tactic.
• Attackers later deployed Slopoly to maintain access for more than a week.
• IBM says the same intrusion also involved NodeSnake, InterlockRAT, and the JunkFiction loader.
• The final ransomware stage used a 64-bit Windows Interlock payload.

IBM says the ransomware sample it observed could run as a scheduled task with SYSTEM privileges and used the Windows Restart Manager API to unlock files before encrypting them. The encrypted files reportedly received either the . !NT3RLOCK or .int3R1Ock extensions.

Why this incident matters

This case matters because it shows a practical use of AI in cybercrime, not a theoretical one. IBM’s assessment suggests attackers may already be using generative AI to speed up malware development, create custom backdoors, and adjust tooling during live intrusions. That does not make the malware better than established families overnight, but it can shorten development time and lower the skill barrier for attackers.

It also fits a broader pattern around Interlock. IBM and IBM X-Force Exchange describe Interlock as a big-game ransomware operation tied to multi-stage intrusions, multiple backdoors, and extortion-focused campaigns. Slopoly appears to be one more tool in that ecosystem rather than a standalone breakthrough.

FAQ