Slopoly
Intelligence Profile
According to IBM X-Force, Slopoly is a likely LLM-generated PowerShell-based command-and-control framework that functions as a fully functional backdoor, collecting system information and sending it as JSON data to a C2 server via HTTP POST heartbeats while polling for commands to execute through the system shell. The malware includes extensive comments, logging, error handling, and accurately named variables, which are characteristic indicators of AI-generated software, though it lacks advanced techniques and cannot actually modify its own code despite being labeled as polymorphic. It establishes persistence by creating a scheduled task and maintains a rotating log file, allowing the threat actor to retain access to the infected server for an extended period. The malware's quality suggests it was generated by a less advanced large language model, and it was deployed by the Hive0163 threat actor during the later stages of a ransomware attack.
Threat Analysis
Slopoly is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.
Financially motivated threat actors like Slopoly prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.
With high sophistication, Slopoly is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.