A Slopoly Start to AI-enhanced Ransomware Attacks

Date: 03/18/2026

Severity: High

Summary

A financially motivated threat group tracked as Hive0163 has been observed using a likely AI-generated malware called Slopoly during ransomware attacks, marking an early example of AI-driven malware development in real-world operations. The malware was deployed in later stages to maintain persistence, alongside tools like Interlock ransomware and custom loaders, highlighting a shift toward faster and more scalable malware creation using AI. While still relatively basic, this development signals the beginning of an evolving trend where threat actors leverage AI to enhance attack capabilities, potentially reshaping the cybersecurity landscape.

Indicators of Compromise (IOC) List

URLs/Domains

plurfestivalgalaxy.com

bridal-custody-private-bodies.trycloudflare.com

corner-teacher-guam-characterization.trycloudflare.com

yen-hansen-cartoon-aims.trycloudflare.com

cigarette-assumed-biotechnology-checklist.trycloudflare.com

meet-noted-tax-qualification.trycloudflare.com

liverpool-patterns-lanes-specified.trycloudflare.com

jane-practitioner-lightning-preservation.trycloudflare.com

misc-elliott-mouth-leading.trycloudflare.com

playback-attributes-interviews-processing.trycloudflare.com

postal-ssl-converted-quantity.trycloudflare.com

forget-canal-chancellor-mas.trycloudflare.com

chronic-dividend-amendments-das.trycloudflare.com

planners-mixing-edmonton-endless.trycloudflare.com

baseline-include-priority-bar.trycloudflare.com

specials-storm-height-warriors.trycloudflare.com

safe-accepted-salem-early.trycloudflare.com

bits-promotions-turned-editions.trycloudflare.com

logan-practitioners-percent-cartridges.trycloudflare.com

eugene-examinations-contained-timber.trycloudflare.com

moore-cgi-pen-drove.trycloudflare.com

screenshots-executive-joins-hammer.trycloudflare.com

coffee-lloyd-families-excluded.trycloudflare.com

communist-flying-provision-calendar.trycloudflare.com

lamp-voters-biodiversity-phillips.trycloudflare.com

rpm-chicken-during-staying.trycloudflare.com

module-source-tree-diverse.trycloudflare.com

offers-listing-screenshot-alpha.trycloudflare.com

electrical-protect-molecular-underground.trycloudflare.com

silk-lift-porter-correctly.trycloudflare.com

wives-bufing-humans-prot.trycloudflare.com

describe-absent-operational-seventh.trycloudflare.com

edinburgh-packaging-sense-idol.trycloudflare.com

gzip-picked-istanbul-maple.trycloudflare.com

IP Address

94.156.181.89

77.42.75.119

23.227.203.123

172.86.68.64

Hash

0884e5590bdf3763f8529453fbd24ee46a3a460bba4c2da5b0141f5ec6a35675

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :	domainname like "logan-practitioners-percent-cartridges.trycloudflare.com" or siteurl like "logan-practitioners-percent-cartridges.trycloudflare.com" or url like "logan-practitioners-percent-cartridges.trycloudflare.com" or domainname like "corner-teacher-guam-characterization.trycloudflare.com" or siteurl like "corner-teacher-guam-characterization.trycloudflare.com" or url like "corner-teacher-guam-characterization.trycloudflare.com" or domainname like "edinburgh-packaging-sense-idol.trycloudflare.com" or siteurl like "edinburgh-packaging-sense-idol.trycloudflare.com" or url like "edinburgh-packaging-sense-idol.trycloudflare.com" or domainname like "bits-promotions-turned-editions.trycloudflare.com" or siteurl like "bits-promotions-turned-editions.trycloudflare.com" or url like "bits-promotions-turned-editions.trycloudflare.com" or domainname like "plurfestivalgalaxy.com" or siteurl like "plurfestivalgalaxy.com" or url like "plurfestivalgalaxy.com" or domainname like "misc-elliott-mouth-leading.trycloudflare.com" or siteurl like "misc-elliott-mouth-leading.trycloudflare.com" or url like "misc-elliott-mouth-leading.trycloudflare.com" or domainname like "meet-noted-tax-qualification.trycloudflare.com" or siteurl like "meet-noted-tax-qualification.trycloudflare.com" or url like "meet-noted-tax-qualification.trycloudflare.com" or domainname like "gzip-picked-istanbul-maple.trycloudflare.com" or siteurl like "gzip-picked-istanbul-maple.trycloudflare.com" or url like "gzip-picked-istanbul-maple.trycloudflare.com" or domainname like "yen-hansen-cartoon-aims.trycloudflare.com" or siteurl like "yen-hansen-cartoon-aims.trycloudflare.com" or url like "yen-hansen-cartoon-aims.trycloudflare.com" or domainname like "playback-attributes-interviews-processing.trycloudflare.com" or siteurl like "playback-attributes-interviews-processing.trycloudflare.com" or url like "playback-attributes-interviews-processing.trycloudflare.com" or domainname like "safe-accepted-salem-early.trycloudflare.com" or siteurl like "safe-accepted-salem-early.trycloudflare.com" or url like "safe-accepted-salem-early.trycloudflare.com" or domainname like "lamp-voters-biodiversity-phillips.trycloudflare.com" or siteurl like "lamp-voters-biodiversity-phillips.trycloudflare.com" or url like "lamp-voters-biodiversity-phillips.trycloudflare.com" or domainname like "jane-practitioner-lightning-preservation.trycloudflare.com" or siteurl like "jane-practitioner-lightning-preservation.trycloudflare.com" or url like "jane-practitioner-lightning-preservation.trycloudflare.com"
Detection Query 2 :	domainname like "module-source-tree-diverse.trycloudflare.com" or siteurl like "module-source-tree-diverse.trycloudflare.com" or url like "module-source-tree-diverse.trycloudflare.com" or domainname like "chronic-dividend-amendments-das.trycloudflare.com" or siteurl like "chronic-dividend-amendments-das.trycloudflare.com" or url like "chronic-dividend-amendments-das.trycloudflare.com" or domainname like "moore-cgi-pen-drove.trycloudflare.com" or siteurl like "moore-cgi-pen-drove.trycloudflare.com" or url like "moore-cgi-pen-drove.trycloudflare.com" or domainname like "postal-ssl-converted-quantity.trycloudflare.com" or siteurl like "postal-ssl-converted-quantity.trycloudflare.com" or url like "postal-ssl-converted-quantity.trycloudflare.com" or domainname like "offers-listing-screenshot-alpha.trycloudflare.com" or siteurl like "offers-listing-screenshot-alpha.trycloudflare.com" or url like "offers-listing-screenshot-alpha.trycloudflare.com" or domainname like "coffee-lloyd-families-excluded.trycloudflare.com" or siteurl like "coffee-lloyd-families-excluded.trycloudflare.com" or url like "coffee-lloyd-families-excluded.trycloudflare.com" or domainname like "rpm-chicken-during-staying.trycloudflare.com" or siteurl like "rpm-chicken-during-staying.trycloudflare.com" or url like "rpm-chicken-during-staying.trycloudflare.com" or domainname like "planners-mixing-edmonton-endless.trycloudflare.com" or siteurl like "planners-mixing-edmonton-endless.trycloudflare.com" or url like "planners-mixing-edmonton-endless.trycloudflare.com" or domainname like "screenshots-executive-joins-hammer.trycloudflare.com" or siteurl like "screenshots-executive-joins-hammer.trycloudflare.com" or url like "screenshots-executive-joins-hammer.trycloudflare.com" or domainname like "electrical-protect-molecular-underground.trycloudflare.com" or siteurl like "electrical-protect-molecular-underground.trycloudflare.com" or url like "electrical-protect-molecular-underground.trycloudflare.com" or domainname like "specials-storm-height-warriors.trycloudflare.com" or siteurl like "specials-storm-height-warriors.trycloudflare.com" or url like "specials-storm-height-warriors.trycloudflare.com" or domainname like "forget-canal-chancellor-mas.trycloudflare.com" or siteurl like "forget-canal-chancellor-mas.trycloudflare.com" or url like "forget-canal-chancellor-mas.trycloudflare.com" or domainname like "silk-lift-porter-correctly.trycloudflare.com" or siteurl like "silk-lift-porter-correctly.trycloudflare.com" or url like "silk-lift-porter-correctly.trycloudflare.com" or domainname like "describe-absent-operational-seventh.trycloudflare.com" or siteurl like "describe-absent-operational-seventh.trycloudflare.com" or url like "describe-absent-operational-seventh.trycloudflare.com" or domainname like "communist-flying-provision-calendar.trycloudflare.com" or siteurl like "communist-flying-provision-calendar.trycloudflare.com" or url like "communist-flying-provision-calendar.trycloudflare.com" or domainname like "wives-bufing-humans-prot.trycloudflare.com" or siteurl like "wives-bufing-humans-prot.trycloudflare.com" or url like "wives-bufing-humans-prot.trycloudflare.com" or domainname like "bridal-custody-private-bodies.trycloudflare.com" or siteurl like "bridal-custody-private-bodies.trycloudflare.com" or url like "bridal-custody-private-bodies.trycloudflare.com" or domainname like "liverpool-patterns-lanes-specified.trycloudflare.com" or siteurl like "liverpool-patterns-lanes-specified.trycloudflare.com" or url like "liverpool-patterns-lanes-specified.trycloudflare.com" or domainname like "eugene-examinations-contained-timber.trycloudflare.com" or siteurl like "eugene-examinations-contained-timber.trycloudflare.com" or url like "eugene-examinations-contained-timber.trycloudflare.com" or domainname like "baseline-include-priority-bar.trycloudflare.com" or siteurl like "baseline-include-priority-bar.trycloudflare.com" or url like "baseline-include-priority-bar.trycloudflare.com" or domainname like "cigarette-assumed-biotechnology-checklist.trycloudflare.com" or siteurl like "cigarette-assumed-biotechnology-checklist.trycloudflare.com" or url like "cigarette-assumed-biotechnology-checklist.trycloudflare.com"
Detection Query 3 :	dstipaddress IN ("77.42.75.119","94.156.181.89","23.227.203.123","172.86.68.64") or srcipaddress IN ("77.42.75.119","94.156.181.89","23.227.203.123","172.86.68.64")
Detection Query 4 :	`sha256hash IN ("0884e5590bdf3763f8529453fbd24ee46a3a460bba4c2da5b0141f5ec6a35675")`

Reference:

https://www.ibm.com/think/x-force/slopoly-start-ai-enhanced-ransomware-attacks

A Slopoly Start to AI-enhanced Ransomware Attacks

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

A Slopoly Start to AI-enhanced Ransomware Attacks

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments