OpenClaw Security Guide
Back to Threat Intel
findingincidentAgent: OpenClawcriticalhigh confidence

Malicious DeepSeek-Claw OpenClaw skill delivers Remcos RAT and GhostLoader stealer via supply chain attack

A threat actor published a malicious "DeepSeek-Claw" skill to the OpenClaw skill ecosystem on GitHub, exploiting developer trust in the skill marketplace to deliver Remcos RAT and GhostLoader stealer malware. The attack targeted developers and AI-driven systems using OpenClaw, leveraging supply chain poisoning of the skill publishing workflow.

openclawsupply-chainmalicious-skillremcosghostloaderdll-sideloadingcredential-theftagentic-ai

Date

Mar 1, 2026

First Seen

Mar 1, 2026

Last Reviewed

May 11, 2026

Publisher

Cryptika

Source Type

article

View source

Related reading

OpenClaw Security Guide

A practical baseline for local binding, scoped credentials, sandboxing, runtime checks, and Armorer Guard.

Securing OpenClaw with Armorer Guard

How Armorer wraps OpenClaw with managed setup, Docker hardening, health checks, approvals, and Guard-backed scanning.

Subscribe via RSSFollow on TelegramGet email updates

Get email updates

Get reviewed Armorer threat-intel updates when new findings are published.

Malicious DeepSeek-Claw OpenClaw Skill Campaign

Summary

A threat actor published a malicious "DeepSeek-Claw" skill to the OpenClaw skill ecosystem on GitHub, exploiting developer trust in the skill marketplace to deliver Remcos RAT and GhostLoader stealer malware. The attack targeted developers and AI-driven systems using OpenClaw, leveraging supply chain poisoning of the skill publishing workflow.

Why It Matters

OpenClaw skills are a trusted integration point — developers install them believing they are safe. This campaign abused that trust model to gain code execution on developer workstations and automate credential theft through the agent runtime. The cross-platform reach (Windows, macOS, Linux) means the attack surface spans the entire development environment.

Attack Path

  1. Skill publication: Attacker publishes fake "DeepSeek-Claw" skill on GitHub, mimicking a legitimate AI workflow integration.
  2. Malicious payload in SKILL.md: Hidden PowerShell commands embedded in the skill's SKILL.md file are executed during skill installation/setup.
  3. MSI download: PowerShell commands contact hxxps://cloudcraftshub[.]com/api or hxxp://dropras[.]xyz/ to download a malicious MSI installer.
  4. DLL sideloading: MSI drops a legitimate GoToMeeting executable alongside a malicious DLL. The DLL is loaded via DLL sideloading to bypass application control.
  5. In-memory patching: The DLL patches security tools in memory, then launches the final payload.
  6. Dual malware deployment:
    • Remcos RAT: Opens an encrypted C2 channel to 146[.]19.24[.]131:2404, giving attackers full remote access.
    • GhostLoader stealer: Contacts hxxps://trackpipe[.]dev to exfiltrate credentials, keys, and other sensitive data.

Affected Systems

Windows, macOS, Linux (cross-platform via OpenClaw skill installation mechanism).

Indicators of Compromise

  • Skill installation from untrusted GitHub repositories mimicking DeepSeek integrations.
  • Unexpected PowerShell child processes during skill setup.
  • MSI installer downloads from cloudcraftshub[.]com or dropras[.]xyz/.
  • Outbound connections to 146[.]19.24[.]131:2404 (Remcos C2).
  • Outbound connections to trackpipe[.]dev (GhostLoader C2).
  • Legitimate executables (e.g., GoToMeeting) spawning suspicious child processes.
  • Unexplained DLL loading alongside known-safe executables.

File IOCs

  • MD5: 1c267cab0a800a7b2d598bc1b112d5ce — "DeepSeek-Claw" malicious skill
  • MD5: 2A5F619C966EF79F4586A433E3D5E7BA — Malicious MSI installer
  • G2M.exe — Legitimate signed GoToMeeting executable (used for DLL sideloading)
  • g2m.dll — Malicious sideloaded DLL; shellcode loader with ETW patching (overwrites ntdll!EtwEventWrite), AMSI bypass (patches amsi!AmsiScanBuffer to return AMSI_RESULT_CLEAN), Tiny Encryption Algorithm (TEA) in CBC mode with 128-bit key, manual PEB parsing for dynamic API resolution, anti-debugging (PEB BeingDebugged/NtGlobalFlag checks, Sleep timing analysis, INT 3 breakpoint scanning), analysis-tool blocklisting (ida.exe, x64dbg.exe, wireshark.exe), VM/sandbox mutex detection (VMware, VBox, Sandboxie)
  • Mutex: Rmc-11YWBZ
  • Remcos license key: 82536825E700F4C863238A90DD314687

Network IOCs

  • hxxps://cloudcraftshub[.]com/api — MSI download endpoint
  • hxxp://dropras[.]xyz/ — MSI download endpoint
  • tcp+tls://146[.]19.24[.]131:2404 — Remcos RAT C2
  • hxxps://trackpipe[.]dev — GhostLoader C2

Detection

  • Win32.Backdoor.RemcosRat, Win32.Dropper.RemcosRat (Zscaler)

TTPs

  • T1195.002 — Supply Chain Compromise: Software Development Tools
  • T1204.002 — User Execution: Malicious File
  • T1059.001 — Command and Scripting Interpreter: PowerShell
  • T1574.001 — Hijack Execution Flow: DLL Search Order Hijacking
  • T1574.002 — Hijack Execution Flow: DLL Side-Loading
  • T1055 — Process Injection
  • T1056.003 — Input Capture: Credential API Hooking
  • T1041 — Exfiltration Over C2 Channel

Mitigations

  • Audit installed OpenClaw skills; remove any from untrusted or unverified sources.
  • Enforce code signing for skills; only allow community-verified skill publishers.
  • Monitor for unexpected PowerShell execution during skill installation.
  • Block outbound connections to IOCs at the network perimeter.
  • Deploy application control to prevent unsigned DLL loading.
  • Use hardware-bound credentials and enforce least-privilege for agent tool access.

Evidence