Threat Actors Abuse Fake OpenClaw Installers to Deploy GhostSocks and Data-Stealing Malware
Threat actors leveraged fake OpenClaw installers hosted on GitHub to distribute information-stealing malware and the GhostSocks backconnect proxy between February 2 and 10, 2026, with Bing’s AI search engine inadvertently amplifying the campaign by recommending the malicious repository as a top result.
OpenClaw, originally released as Clawdbot in November 2025 and briefly rebranded as MoltBot, quickly became a global phenomenon after rebranding, accumulating tens of thousands of GitHub forks and hundreds of thousands of stars. This explosive popularity made it an ideal lure for threat actors.
On February 9, Huntress researchers were alerted when a user’s system showed signs of infection after downloading and executing a fake OpenClaw installer from a GitHub repository named and housed under a purpose-built organization of the same name to lend it credibility.
The critical factor enabling broad victimization was Bing’s AI search feature, which surfaced the malicious GitHub repository as the top result for the query “OpenClaw Windows.”
This mirrors a December 2025 campaign in which attackers poisoned ChatGPT and Grok shared chat results to distribute AMOS stealer, but in this instance, simply hosting malware on GitHub was sufficient to poison Bing AI results.
The malicious account, created in September 2025, attempted to build trust by opening issues on the official OpenClaw repository before those were removed as spam.
Upon execution of OpenClaw_x64.exe a bloated binary originally named TradeAI.exe with near-zero VirusTotal detections, multiple malware payloads were deployed against Windows systems.
Identified a novel packer called Stealth Packer, a Rust-based loader that injects malware directly into memory, adds firewall rules, creates hidden “ghost” scheduled tasks, performs COM hijacking, and conducts anti-VM checks by monitoring mouse movement before executing decrypted payloads.
Three notable executables were observed:
cloudvideo.exe– A Vidar stealer payload that retrieves dynamic command-and-control (C2) information dynamically from Telegram channels and Steam user profiles​svc_service.exe– A Rust-based loader running PureLogs Stealer in memory, identified via aStealthPackerMutex_9A8B7Cmutex and a PDB path ofstealth_packer​serverdrive.exe– A GhostSocks backconnect proxy decrypted from an embedded resource, copied asupdate.exe, and persisted via a Windows Run registry key​
GhostSocks, a malware-as-a-service (MaaS) coded in Golang and introduced in October 2023, converts compromised machines into residential proxies.
It enables threat actors to route login attempts through the victim’s own IP address, effectively circumventing MFA challenges and anti-fraud systems that rely on geolocation or device fingerprinting.
The tool was previously documented in leaked Black Basta ransomware operator chat logs and has been observed partnered with LummaStealer since February 2024.
In this campaign, the deployed GhostSocks variant upgraded to TLS-encrypted connections, a departure from earlier HTTP-based variants, and included an embedded debug flag --johnpidar that exposes its full configuration, including primary C2 and fallback.​
For macOS targets, the fake installer’s README directed users to run a bash one-liner pulling a Mach-O binary from a separate GitHub organization.
Static analysis confirmed the binary as a variant of Atomic macOS Stealer (AMOS), which terminates Terminal, requests administrative credentials validated via it, and exfiltrates files including PDFs and JSON.
Office documents from TCC-protected directories using an AppleScript. Apple’s XProtect.yara (version 5329) has since added a detection rule MACOS.SOMA.CLBIFEA to block this file.
Huntress reported all identified malicious repositories and organizations to GitHub, which removed them within eight hours. Organizations should implement the following controls:​
- Do not trust GitHub releases blindly – repository code does not guarantee the safety of binary releases​
- Enable endpoint detection – Windows Defender for Endpoint and Managed AV successfully quarantined many payloads in this campaign​
- Apply macOS XProtect updates – version 5329 now detects OpenClawBot via
MACOS.SOMA.CLBIFEA​ - Monitor for GhostSocks persistence – check for suspicious
update.exeentries inHKCU\Software\Microsoft\Windows\CurrentVersion\Runencrypted configs at%AppData%\config - Audit AI search recommendations – treat AI-generated installation suggestions for new tools with the same skepticism applied to unknown download sources​
Information stealers remain a primary initial access vector for high-impact intrusions, from the 2024 Snowflake breach to the 2026 Romanian oil pipeline ransomware attack, and campaigns abusing trending open-source tools are accelerating as AI popularity grows.
Site: cybersecuritypath.com
About the Author
