Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer
Summary:
Trend Micro researchers have identified a novel distribution campaign for the Atomic macOS Stealer (AMOS), targeting users of the OpenClaw AI agent framework. Historically, AMOS was distributed through "cracked" software or malvertising; however, threat actors are now weaponizing the emerging "agentic AI" ecosystem. By uploading hundreds of malicious "skills" to repositories like ClawHub and SkillsMP, attackers exploit the trust users place in automated AI workflows. These malicious skills contain instructions in SKILL.md files that appear benign but prompt the AI agent to download a fake command-line interface (CLI) tool. Once the agent attempts installation, a social engineering prompt—often appearing as a legitimate system setup requirement, tricks the user into manually entering their administrative password. This grants the malware the permissions needed to harvest extensive sensitive data, including browser credentials, keychain items, cryptocurrency wallets, and messaging profiles from Telegram and Discord.
Security Officer Comments:
This campaign represents a significant shift in the supply-chain threat landscape, specifically targeting the developer and power-user demographic that is currently experimenting with autonomous AI agents. Many of our member organizations in the IT, Food & Agriculture, and Election sectors are increasingly integrating AI to streamline workflows. This research highlights that the "lethal trifecta"—an agent’s ability to read untrusted content, communicate externally, and access local files—is being actively exploited. The impact on our members is twofold: first, the compromise of developer workstations can lead to the theft of SSH keys and cloud credentials, potentially facilitating downstream lateral movement into enterprise production environments. Second, because these malicious skills are essentially markdown files, they often bypass traditional static analysis and reputation-based security tools, making them an effective "living-off-the-land" style delivery mechanism for infostealers.
Suggested Corrections:
To defend against the weaponization of AI agent frameworks and the deployment of the Atomic macOS Stealer, organizations should consider the following strategic and technical mitigations:
Link(s):
https://www.trendmicro.com/en_us/re...-used-to-distribute-atomic-macos-stealer.html
Trend Micro researchers have identified a novel distribution campaign for the Atomic macOS Stealer (AMOS), targeting users of the OpenClaw AI agent framework. Historically, AMOS was distributed through "cracked" software or malvertising; however, threat actors are now weaponizing the emerging "agentic AI" ecosystem. By uploading hundreds of malicious "skills" to repositories like ClawHub and SkillsMP, attackers exploit the trust users place in automated AI workflows. These malicious skills contain instructions in SKILL.md files that appear benign but prompt the AI agent to download a fake command-line interface (CLI) tool. Once the agent attempts installation, a social engineering prompt—often appearing as a legitimate system setup requirement, tricks the user into manually entering their administrative password. This grants the malware the permissions needed to harvest extensive sensitive data, including browser credentials, keychain items, cryptocurrency wallets, and messaging profiles from Telegram and Discord.
Security Officer Comments:
This campaign represents a significant shift in the supply-chain threat landscape, specifically targeting the developer and power-user demographic that is currently experimenting with autonomous AI agents. Many of our member organizations in the IT, Food & Agriculture, and Election sectors are increasingly integrating AI to streamline workflows. This research highlights that the "lethal trifecta"—an agent’s ability to read untrusted content, communicate externally, and access local files—is being actively exploited. The impact on our members is twofold: first, the compromise of developer workstations can lead to the theft of SSH keys and cloud credentials, potentially facilitating downstream lateral movement into enterprise production environments. Second, because these malicious skills are essentially markdown files, they often bypass traditional static analysis and reputation-based security tools, making them an effective "living-off-the-land" style delivery mechanism for infostealers.
Suggested Corrections:
To defend against the weaponization of AI agent frameworks and the deployment of the Atomic macOS Stealer, organizations should consider the following strategic and technical mitigations:
- Implement AI Framework Governance: Treat AI agent repositories (like ClawHub or SkillsMP) with the same risk profile as unverified GitHub repositories or third-party package managers. Organizations should audit the use of "Agentic AI" tools on corporate devices and restrict their use to sanctioned, vetted frameworks.
- Enforce Sandbox Environments: If developers or researchers must use experimental AI agents like OpenClaw, ensure they are executed within isolated virtual machines or containers that lack access to the host’s Keychain, sensitive local files, or production credentials.
- User Awareness and "ClickFix" Training: Educate employees to recognize social engineering tactics that request administrative passwords during the execution of seemingly automated tasks. Users should be instructed that legitimate AI agents should not require manual password entry to "fix" or "install" command-line utilities.
- Behavioral Endpoint Monitoring: Configure Endpoint Detection and Response (EDR) tools to alert on suspicious macOS-specific behaviors, such as the unauthorized use of osascript to prompt for credentials or unexpected access attempts to the ~/Library/Keychains/ directory.
- Network Level Interdiction: Monitor for and block outbound traffic to known AMOS Command & Control (C2) infrastructure. Specifically, look for unusual POST requests directed toward IP-based URLs (rather than domain names) originating from user-level processes.
- Credential Protection: Transition away from disk-stored secrets toward hardware-based security keys (e.g., YubiKeys) for MFA. This ensures that even if an infostealer successfully harvests session tokens or passwords, the attacker cannot bypass the physical hardware requirement to access sensitive corporate resources.
- Principle of Least Privilege: Limit the ability of standard users to execute shell scripts or install new CLI tools without oversight, particularly those downloaded via automated AI workflows.
Link(s):
https://www.trendmicro.com/en_us/re...-used-to-distribute-atomic-macos-stealer.html