SYMBOLCOMMON_NAMEaka. SYNONYMS
ps1.slopoly (Back to overview)

Slopoly

Actor(s): Hive0163

According to IBM X-Force, Slopoly is a likely LLM-generated PowerShell-based command-and-control framework that functions as a fully functional backdoor, collecting system information and sending it as JSON data to a C2 server via HTTP POST heartbeats while polling for commands to execute through the system shell. The malware includes extensive comments, logging, error handling, and accurately named variables, which are characteristic indicators of AI-generated software, though it lacks advanced techniques and cannot actually modify its own code despite being labeled as polymorphic. It establishes persistence by creating a scheduled task and maintains a rotating log file, allowing the threat actor to retain access to the infected server for an extended period. The malware's quality suggests it was generated by a less advanced large language model, and it was deployed by the Hive0163 threat actor during the later stages of a ransomware attack.

References
2026-03-12IBM X-ForceGolo Mühr
A Slopoly start to AI-enhanced ransomware attacks
Slopoly Hive0163

There is no Yara-Signature yet.