AI-generated malware off to a sloppy start for ransomware actors, IBM says

A March 12 report from an IBM research team reveals how even ransomware actors are seeking a GenAI shortcut.

The good news: IBM’s X-Force threat analysts described the AI-generated malware script they studied as “mediocre” and “unspectacular.”

The bad news: The malware—named “Slopoly” by the group—shows how easily threat actors can use AI tools to throw together malware frameworks “in a fraction of the time it used to take,” IBM’s Malware Reverse Engineer Golo Mühr wrote in the report.

Oh, and about that good news: The mediocrity is “likely temporary,” according to another member of the X-Force team.

“As models improve and attackers become better at prompting them, we can expect these scripts to become more sophisticated. For example, future iterations will likely incorporate advanced obfuscation, dynamic configuration settings, and improved evasion techniques,” Agnes Ramos-Beauchamp, malware reverse engineer at IBM X-Force Threat Intelligence, wrote in an email to IT Brew.

Here’s what else IBM’s team found:

• An extortion and ransomware group tracked as “Hive0163” used the Slopoly malware framework.
• Slopoly was implemented as a “technically basic” PowerShell script, Ramos-Beauchamp wrote, and maintained persistent access to a compromised system for more than a week, according to the IBM report.

Ya basic. A mediocre, unspectacular malware script can still ruin an IT professional’s day.

“Even a simple PowerShell backdoor can allow an attacker to execute remote commands, download additional payloads, steal sensitive data, move laterally across a network, and maintain persistence on a compromised system,” Ramos-Beauchamp wrote.

X-Force isn’t the only group observing early examples of AI-generated malware in real-world incidents:

• In its 2026 Global Incident Response report, Palo Alto Networks noted instances of ransomware groups using operational scripts, consistent with AI-assisted development, to deploy payloads and impair security controls. The company’s research group also discovered groups using the tools for more consistent, disciplined messaging. With AI, threat actors “moved from experimentation to routine operational use” last year, according to the report.
• In November 2025, Google described malware families like PromptFlux using large language models (LLMs) during execution.
• Cybersecurity company Trend Micro also recently shared findings of “EvilAI” groups using AI-generated malware.

Anna Pham, senior tactical response analyst at managed security platform Huntress, is seeing AI-assisted, script-based implants and back doors. From what she’s witnessed, GenAI can effectively create scripts, but not write complex malware in programming languages like Go and Rust yet: “It requires a lot of tuning from the threat-actor side.” X-Force has also observed attackers increasingly using AI tools to generate malware, automate malicious infrastructure, and enhance phishing or social-engineering campaigns, according to Ramos-Beauchamp—more bad news for cybersecurity pros.

“While the use of AI in malware development is still in its early stages,” Ramos-Beauchamp wrote, “adversarial adoption is accelerating and is likely to reshape the threat landscape, forcing defenders to rethink traditional security assumptions and adapt to a future where malicious tooling can be generated more quickly and at greater scale.”