Dive Brief:
- Prolific cybercrime gangs have begun using AI to help them generate malware, signaling a “fundamental shift of dynamics” in the threat environment, IBM’s X-Force threat intelligence team said in a report published on Thursday.
- The malware, which IBM called Slopoly, is “relatively unspectacular” but nonetheless a harbinger of a coming future in which automated code development can rapidly accelerate the hacking life cycle, according to the report.
- IBM linked the malware to Hive0163, a group of hackers who have used the Interlock ransomware in several recent major attacks.
Dive Insight:
With researchers warning that AI is making it easier for hackers to create and launch powerful cyberattacks, reports like IBM’s help illustrate the criminal ecosystem’s progressively broader embrace of AI — as well as the continuing failure of AI companies to prevent their models from facilitating crimes.
“Although still in the early stages, the adversarial use of AI is accelerating—and it’s poised to significantly reshape the threat landscape, forcing defenders to fundamentally rethink today’s security paradigms,” IBM said in its report.
The Slopoly malware appeared in a ransomware attack that IBM observed Hive0163 conducted in early 2026, with the malware enabling the group to maintain access to a hacked server for more than a week. IBM’s analysis of the code revealed that the hackers’ instructions had “successfully circumvented” whatever security restrictions the AI model possessed.
IBM doesn’t know which AI system the hackers used, researchers wrote, but the low quality of the code “suggests it was produced by a less advanced model.”
A recent report from Palo Alto Networks similarly warned that hackers were “using AI to reduce manual work during [ransomware] deployment.”
IBM echoed Palo Alto Networks’ point that, while AI-generated code is usually technically unsophisticated, hackers’ use of AI is still helping them dramatically speed up their attack timelines.
The discovery of Slopoly and similar code “should send a signal that these could soon become a predominant part of cybercrime actors’ arsenals,” IBM researchers wrote.
Importantly, AI’s increasing code-writing power might encourage hackers to generate new malware for every attack rather than repeatedly relying on the same carefully developed, handwritten code — which could make it harder for defenders to identify attackers and link their activities.
“Disparate, largely similar malicious [malware] will become significantly more difficult to attribute to a single developer in the future, knowing that the effort needed to create it is just a fraction of what it used to be,” IBM researchers wrote.
Hive0163 uses custom backdoor malware to maintain long-term access to victim networks, often stealing large quantities of data from corporate victims. IBM described the group as a loose coalition of “several dynamic subclusters with access to private crypters, malware frameworks and ransomware variants, likely developed at least partially by members of the group.”
