OpenClaw: A Viral AI Assistant and a Magnet for Infostealer Malware and ClickFix Trickery
Summary:
Intel 471's Malware Intelligence team documented a cluster of threat activity exploiting the rapid rise of OpenClaw, an open-source autonomous AI agent platform that accumulated roughly 265,000 GitHub stars by early March 2026.
Rather than targeting software vulnerabilities, threat actors are employing brand-as-a-lure social engineering through typosquatted domains, counterfeit OpenClaw websites, malicious social media advertisements, and ClickFix-style command-prompt lures to deliver information-stealing malware to both Windows and macOS users.
Two previously unreported campaigns were detailed: the first used a fraudulent site at app-clawbot[.]org to deliver Stealc_v2 via a ClickFix prompt instructing users to paste a malicious curl command; the second promoted a fake AI agent called Clearl AI through paid X/Twitter advertisements backed by bot amplification, delivering the AMOS stealer on macOS and a novel obfuscated JavaScript-based infostealer packaged as an Electron application on Windows.
Additionally, corroborating reporting from Trend Micro, Hudson Rock, and Huntress confirms thousands of malicious skills uploaded to ClawHub and GitHub, some exploiting OpenClaw's SKILL[.]md runtime loading mechanism to chain users into executing attacker-controlled installation scripts, as well as Vidar stealer campaigns targeting OpenClaw configuration files for agent context and credential harvesting.
Security Officer Comments:
The threat to organizations evaluating or deploying OpenClaw is multidimensional and escalating. At the endpoint level, the deployed infostealers, Stealc, AMOS, Vidar, and at least one novel JavaScript-based stealer, are capable of harvesting browser credentials, session tokens, cookies, and cryptocurrency wallet data, enabling account takeover and follow-on intrusions.
The emerging and more strategically significant risk is the deliberate targeting of OpenClaw configuration files, which can expose agent secrets, API keys, cloud integration paths, and operational context, effectively enabling attackers to pivot from a single compromised workstation into SaaS environments, cloud infrastructure, and enterprise networks with minimal additional reconnaissance.
The malicious skills supply chain attack surface is particularly concerning given that ClawHub currently lists over 15,000 installable skills, and Trend Micro alone identified more than 2,200 malicious entries on GitHub as of late February 2026.
Multichannel delivery, including malvertising that placed a malicious repository as a top Bing AI search result, significantly expands the potential victim pool beyond technically sophisticated developers, and threat actors are expected to accelerate OpenClaw-specific infostealer module development as adoption grows.
Suggested Corrections:
Intel 471 strongly recommends that OpenClaw not be installed on standard corporate endpoints or employee workstations at this time; if evaluation is required, deployment should be confined to isolated, security-managed virtual machines with strict access controls and no access to production credentials or cloud integrations.
Organizations should use dedicated, low-privilege, short-lived identities for any agent operations, enforce controlled OAuth consent, and rotate credentials routinely under an assumed-compromise posture.
Skills installation should be treated as equivalent to executing third-party code, with sources restricted to a vetted allowlist and all updates reviewed before deployment.
On the detection side, defenders should alert on browser-to-shell execution chains (e.g., browser processes spawning cmd[.]exe or powershell[.]exe followed by curl[.]exe), monitor for new Electron app directories created under %APPDATA%\Roaming\, and block or alert on outbound HTTP connections to IP-based C2 endpoints from newly downloaded executables.
Confirmed IoCs for immediate blocking include the domains app-clawbot[.]org, ai-clawbot[.]org, ai-openclaw[.]org, and clearl[.]co, C2 IPs 146[.]103[.]127[.]46, 172[.]94[.]9[.]250, and 188[.]137[.]246[.]189, and file hashes for the Stealc_v2, AMOS, and Clearl Windows payloads listed in the report.
User awareness training should specifically address ClickFix-style prompts and the social engineering tactic of framing malicious terminal commands as legitimate software installation steps.
Link(s):
https://www.intel471.com/blog/openc...for-infostealer-malware-and-clickfix-trickery
Intel 471's Malware Intelligence team documented a cluster of threat activity exploiting the rapid rise of OpenClaw, an open-source autonomous AI agent platform that accumulated roughly 265,000 GitHub stars by early March 2026.
Rather than targeting software vulnerabilities, threat actors are employing brand-as-a-lure social engineering through typosquatted domains, counterfeit OpenClaw websites, malicious social media advertisements, and ClickFix-style command-prompt lures to deliver information-stealing malware to both Windows and macOS users.
Two previously unreported campaigns were detailed: the first used a fraudulent site at app-clawbot[.]org to deliver Stealc_v2 via a ClickFix prompt instructing users to paste a malicious curl command; the second promoted a fake AI agent called Clearl AI through paid X/Twitter advertisements backed by bot amplification, delivering the AMOS stealer on macOS and a novel obfuscated JavaScript-based infostealer packaged as an Electron application on Windows.
Additionally, corroborating reporting from Trend Micro, Hudson Rock, and Huntress confirms thousands of malicious skills uploaded to ClawHub and GitHub, some exploiting OpenClaw's SKILL[.]md runtime loading mechanism to chain users into executing attacker-controlled installation scripts, as well as Vidar stealer campaigns targeting OpenClaw configuration files for agent context and credential harvesting.
Security Officer Comments:
The threat to organizations evaluating or deploying OpenClaw is multidimensional and escalating. At the endpoint level, the deployed infostealers, Stealc, AMOS, Vidar, and at least one novel JavaScript-based stealer, are capable of harvesting browser credentials, session tokens, cookies, and cryptocurrency wallet data, enabling account takeover and follow-on intrusions.
The emerging and more strategically significant risk is the deliberate targeting of OpenClaw configuration files, which can expose agent secrets, API keys, cloud integration paths, and operational context, effectively enabling attackers to pivot from a single compromised workstation into SaaS environments, cloud infrastructure, and enterprise networks with minimal additional reconnaissance.
The malicious skills supply chain attack surface is particularly concerning given that ClawHub currently lists over 15,000 installable skills, and Trend Micro alone identified more than 2,200 malicious entries on GitHub as of late February 2026.
Multichannel delivery, including malvertising that placed a malicious repository as a top Bing AI search result, significantly expands the potential victim pool beyond technically sophisticated developers, and threat actors are expected to accelerate OpenClaw-specific infostealer module development as adoption grows.
Suggested Corrections:
Intel 471 strongly recommends that OpenClaw not be installed on standard corporate endpoints or employee workstations at this time; if evaluation is required, deployment should be confined to isolated, security-managed virtual machines with strict access controls and no access to production credentials or cloud integrations.
Organizations should use dedicated, low-privilege, short-lived identities for any agent operations, enforce controlled OAuth consent, and rotate credentials routinely under an assumed-compromise posture.
Skills installation should be treated as equivalent to executing third-party code, with sources restricted to a vetted allowlist and all updates reviewed before deployment.
On the detection side, defenders should alert on browser-to-shell execution chains (e.g., browser processes spawning cmd[.]exe or powershell[.]exe followed by curl[.]exe), monitor for new Electron app directories created under %APPDATA%\Roaming\, and block or alert on outbound HTTP connections to IP-based C2 endpoints from newly downloaded executables.
Confirmed IoCs for immediate blocking include the domains app-clawbot[.]org, ai-clawbot[.]org, ai-openclaw[.]org, and clearl[.]co, C2 IPs 146[.]103[.]127[.]46, 172[.]94[.]9[.]250, and 188[.]137[.]246[.]189, and file hashes for the Stealc_v2, AMOS, and Clearl Windows payloads listed in the report.
User awareness training should specifically address ClickFix-style prompts and the social engineering tactic of framing malicious terminal commands as legitimate software installation steps.
Link(s):
https://www.intel471.com/blog/openc...for-infostealer-malware-and-clickfix-trickery