Scammers exploited OpenClaw's popularity by hosting malicious installers on GitHub, which Bing AI search results then promoted to unsuspecting users.
Malicious actors have been exploiting the popularity of OpenClaw, an AI agent platform, by creating fake installers that deliver malware to unsuspecting users. The campaign, which ran between February 2 and 10, 2026, leveraged GitHub's trusted reputation and Bing AI search results to distribute information stealers and proxy malware.
The scam worked by hosting malicious repositories on GitHub under the organization name "openclaw-installer." Users searching for "OpenClaw Windows" through Bing's AI-powered search results were directed to these fake repositories. The malicious installers appeared legitimate because OpenClaw has tens of thousands of forks on GitHub, making users more likely to trust code hosted on the platform.
Huntress security researchers discovered the malware on February 9 after a user downloaded and executed the fake installer. The researchers found that the user had searched for "OpenClaw Windows" through Bing and followed an AI-suggested link directly to the malicious GitHub repository.
The fake installer was largely legitimate code taken from the Cloudflare project moltworker, with the actual malware hidden in the releases section as "OpenClaw_x64.exe" inside a 7-Zip archive. Upon execution, the file deployed multiple pieces of malware, including information stealers and GhostSocks proxy malware.
The information stealers included Vidar malware, which harvested Telegram and Steam user details and retrieved dynamic command-and-control information. The researchers also identified a never-before-seen packer called "stealth packer" that included features like anti-VM checks, firewall rule modifications, and the creation of hidden scheduled tasks.
GhostSocks, renamed as "serverdrive.exe," turned compromised machines into residential proxies for criminals to route malicious traffic and bypass anti-fraud checks. This variant used TLS for connections and had embedded configuration data with primary helper addresses.
Several red flags indicated the repositories were fake. The GitHub account was created in September 2025 and only became active in February 2026. It promoted another malicious repository under the organization "molt-bot," which was later marked as spam. The account linked to a non-existent X account and used a profile picture from a different account with approximately 200,000 followers.
After Huntress reported the malicious repositories, GitHub removed the accounts and organizations. However, the researchers identified three other organizations and accounts distributing similar malware, with one appearing to be a duplicate of the original "openclaw-installer" repository added a day after the first was taken down.
This incident highlights broader security concerns with OpenClaw, which has faced multiple security issues including exposed instances, credential leaks, and a marketplace filled with malware. The researchers recommend running AI agents in isolated environments, limiting their data access, and avoiding privileged credentials when using such tools.
The campaign demonstrates how scammers quickly exploit new technologies by combining trusted platforms like GitHub with AI-powered search results to distribute malware, making it crucial for users to verify software sources before downloading and installing applications.
Comments
Please log in or register to join the discussion