A rapid wave of lookalike sites, social ads and poisoned “skills” is exploiting OpenClaw’s popularity to push StealC v2, AMOS and other stealers through user-driven install flows.
OpenClaw | ClickFix | StealC | AMOS | Infostealers | Malvertising | Supply chain risk
Metadata (as of 12 March 2026) (intel471.com)
- Affected product: OpenClaw (self-hosted agent runtime)
- Primary issue: Malware distribution and ecosystem abuse (brand-as-lure, malicious skills, fake installers)
- Exploitation status: Observed in the wild (social engineering, no confirmed software vulnerability required) (intel471.com)
- Confidence level: High (multi-source reporting with artefacts and IOCs) (intel471.com)
- Severity: High (credential/session theft, potential SaaS and cloud follow-on) (intel471.com)
- Sectors at risk: Organisations piloting agentic AI, developers, IT and security teams, crypto-adjacent users
- Regions at risk: Global
Executive Summary
Intel 471 has documented two active “OpenClaw-themed” malware delivery campaigns that use lookalike web properties and ClickFix-style prompts to trick users into executing malware, rather than exploiting OpenClaw vulnerabilities. (intel471.com)
Campaign artefacts include a StealC v2 payload delivered via a fraudulent OpenClaw site, plus a separate “Clearl AI” lure promoted through X ads that delivers AMOS on macOS and an obfuscated Electron/JavaScript stealer on Windows. (intel471.com)
Microsoft’s guidance is blunt: treat self-hosted agent runtimes like OpenClaw as untrusted code execution with persistent credentials and do not run them on standard enterprise workstations. (Microsoft)
Parallel reporting shows attackers also abusing OpenClaw’s third-party “skills” supply chain to distribute AMOS at scale, and using trusted distribution channels (for example GitHub and search results) to push fake installers. (www.trendmicro.com)
Context
OpenClaw’s viral growth (and rapid rebrands from Clawdbot to Moltbot to OpenClaw) created an attractive “brand-as-lure” opportunity: high search volume, onboarding urgency, and a user base primed to copy-paste setup commands. (intel471.com)
The security impact is amplified because agent runtimes commonly accumulate sensitive material on the host: tokens, credentials, browser data, cloud connectors, and persistent “memory” or configuration. Microsoft warns that this combination collapses identity, execution and persistence into one high-risk loop unless isolation and least privilege are enforced. (Microsoft)
Separately, open-source reporting indicates infostealers are already being observed stealing OpenClaw configuration artefacts (for example .openclaw directories) as part of broad file-grab routines, increasing the likelihood of downstream SaaS compromise. (BleepingComputer)
Technical Analysis
Campaign 1: Lookalike OpenClaw site uses ClickFix to deliver StealC v2 (Windows)
Intel 471 identified a fraudulent site imitating OpenClaw’s official site and replacing legitimate quick-start guidance with a “Download” flow that leads to a ClickFix prompt. Victims are instructed to run a terminal command that downloads and executes a payload masquerading as OpenClaw.exe. (intel471.com)
The resulting malware was assessed as StealC v2, with Intel 471 publishing the sample hash and an HTTP C2 endpoint used to retrieve instructions and exfiltrate harvested data. (intel471.com)
Analyst view: this aligns cleanly with Microsoft’s ClickFix model, where the “exploit” is the user action itself, enabling campaigns to bypass some automated controls that focus on drive-by downloads or direct exploit chains. (Microsoft)
Campaign 2: “Clearl AI” social ads deliver AMOS (macOS) and an Electron/JS stealer (Windows)
Intel 471 also tracked an OpenClaw lookalike branded as “Clearl AI”, promoted via ads on X and fronted with Cloudflare verification and CAPTCHA friction to legitimise the download path. (intel471.com)
- On macOS, the downloaded DMG was assessed as Atomic macOS Stealer (AMOS), with Intel 471 providing hash and C2 details. (intel471.com)
- On Windows, the installer staged an Electron application under a roaming-profile directory and executed a heavily obfuscated JavaScript stealer that profiled the host and exfiltrated collected data to an IP-based endpoint. Intel 471 noted anti-analysis checks including hostname blacklists. (intel471.com)
Analyst view: Electron-based staging plus social advertising is now a repeatable infostealer distribution pattern, also seen in parallel malvertising campaigns that impersonate other high-trust brands. (Malwarebytes)
Wider OpenClaw ecosystem abuse: malicious skills and fake installers
Intel 471 points to broader ecosystem exploitation beyond these two campaigns, including malicious OpenClaw “skills” that embed attacker-controlled setup instructions and push AMOS. (intel471.com)
Trend Micro documented malicious SKILL.md content prompting installation of a fake prerequisite, using Base64-encoded commands to fetch a remote script and drop AMOS binaries. Trend Micro also reported scale (thousands of malicious skills) that makes manual review impractical without stronger supply-chain controls. (www.trendmicro.com)
Huntress separately described fake OpenClaw installers hosted on GitHub and surfaced via search results, delivering infostealers and the GhostSocks proxy malware on Windows (and AMOS on macOS in the same activity set). (Huntress)
Impact Assessment
The immediate impact is credential and session theft (browser passwords, cookies, crypto wallets, messaging artefacts), typical of StealC and AMOS operations. (intel471.com)
The higher-order risk is that OpenClaw deployments can concentrate cloud and SaaS access into local configuration and memory. Theft of these artefacts can reduce attacker cost for follow-on compromise by exposing integrations, tokens and operational context. (intel471.com)
For enterprise pilots, the main exposure is not limited to a single endpoint: stolen OAuth tokens and API keys can enable account takeover and lateral movement into cloud services, especially where agents were granted broad scopes. (Microsoft)
Indicators of Compromise
| Type | Value | Context / Notes | Source | Confidence |
|---|---|---|---|---|
| Domain | app-clawbot[.]org | OpenClaw lookalike site hosting ClickFix lure | Intel 471 (intel471.com) | Confirmed |
| Domain | ai-clawbot[.]org | OpenClaw-themed domain linked by registration details | Intel 471 (intel471.com) | Confirmed |
| Domain | ai-openclaw[.]org | Listed for block/monitor in IOC guidance | Intel 471 (intel471.com) | Confirmed |
| Domain | clearl[.]co | “Clearl AI” lure site distributing Windows/macOS payloads | Intel 471 (intel471.com) | Confirmed |
| File (SHA-256) | d9f0dd48745d5be7ef74ee9f2cb4640ab310a5a7d2f2f01654e15370ac5853eb | StealC v2 payload masquerading as OpenClaw.exe | Intel 471 (intel471.com) | Confirmed |
| IP (C2) | 146.103.127[.]46 | StealC HTTP C2 host | Intel 471 (intel471.com) | Confirmed |
| URL path | 146.103.127[.]46/5f86ff22ffb6444b.php | StealC C2 path | Intel 471 (intel471.com) | Confirmed |
| File (SHA-256) | 5efe3d6ff69002f2cf82683f2d866264d0836b9f02e8b52719ecbd6fecf72a62 | AMOS DMG (Clearl_AI.dmg) | Intel 471 (intel471.com) | Confirmed |
| IP (C2) | 172.94.9[.]250 | AMOS HTTP C2 host | Intel 471 (intel471.com) | Confirmed |
| URL path | 172.94.9[.]250/log | AMOS C2 path | Intel 471 (intel471.com) | Confirmed |
| File (SHA-256) | 8196b3c51e5b6519e101a5a3e8df77435ac19e9d58bfd9cbaac4b03492abc79a | Windows “Clearl AI” installer | Intel 471 (intel471.com) | Confirmed |
| IP (C2) | 188.137.246[.]189 | Windows JS stealer C2 host | Intel 471 (intel471.com) | Confirmed |
| URL path | 188.137.246[.]189/laravel.php | Windows C2 endpoint (obfuscated params observed) | Intel 471 (intel471.com) | Confirmed |
| Host artefact | %APPDATA%\Roaming\Clearc0Application\ | Electron app staging directory | Intel 471 (intel471.com) | Confirmed |
| Domain | openclawcli[.]vercel[.]app | Fake prerequisite used by malicious skills to deliver AMOS | Trend Micro (www.trendmicro.com) | Confirmed |
Detection guidance
Prioritise telemetry and controls that surface user-driven execution chains, especially where a browser session leads directly to shell activity:
- Alert on browser-to-shell chains (for example
chrome.exeormsedge.exespawningcmd.exe/powershell.exe) followed by network retrieval and execution from user-writable locations. (intel471.com) - Hunt for suspicious
curl.exeusage that downloads executables into%APPDATA%or%TEMP%and immediately launches them. (intel471.com) - Watch for new Electron application directories created under roaming profiles (notably
Clearc0Application) followed by execution of a bundled app binary. (intel471.com) - Network detections: block and alert on outbound HTTP to IP-based C2s and newly registered lookalike domains, particularly immediately after a first-run installer event. (intel471.com)
Incident Response Guidance
If you suspect exposure via OpenClaw-themed lures or skills:
- Isolate affected hosts and preserve volatile data (process list, network connections, recent downloads).
- Revoke and rotate credentials potentially accessible to the agent or browser (SaaS tokens, API keys, session cookies where feasible). Treat agent credentials as compromised by default. (Microsoft)
- Collect key artefacts:
- Windows:
%APPDATA%\OpenClaw.exe,%APPDATA%\Roaming\Clearc0Application\, installer logs, browser extension installs, and new scheduled tasks or autoruns (even if persistence is not obvious). (intel471.com) - macOS: suspicious DMGs,
/tmp/staging (Intel 471 noted/tmp/xdivcmp/for the AMOS lure), and browser credential stores. (intel471.com)
- Windows:
- Scope laterally: review authentication logs for anomalous access using affected identities, and check for suspicious OAuth consent and token refresh patterns. (Microsoft)
Mitigation Recommendations
- Do not run OpenClaw on standard enterprise workstations. If evaluation is unavoidable, use a dedicated VM or isolated device and plan to rebuild it frequently. (intel471.com)
- Use dedicated, low-privilege identities for agents: minimal scopes, short-lived tokens, and aggressive rotation. Assume compromise is possible. (Microsoft)
- Treat skill installation as code execution. Restrict install sources, enforce review of
SKILL.mdinstructions, and block skills that fetch instructions from external sites. (www.trendmicro.com) - Harden against brand-as-lure and ClickFix prompts: user training should explicitly call out fake CAPTCHAs and “copy-paste to install/fix” workflows as high-risk. (Microsoft)
- DNS and web controls: proactively block newly registered OpenClaw-themed lookalike domains and alert on access outside an allowlist. (intel471.com)
Threat Intelligence Context
ClickFix has matured into a repeatable, scalable social-engineering technique designed to force the user to become the execution mechanism, often via copy-paste into terminals or Run dialogs. Microsoft documents ClickFix as a way to slip past conventional automated controls, and MITRE explicitly tracks this behaviour under User Execution: Malicious Copy and Paste (T1204.004). (Microsoft)
For OpenClaw specifically, the ecosystem adds a second abuse path beyond lookalike sites: malicious “skills” that embed external installation steps, turning the agent and its trust relationships into an amplifier for supply-chain-style delivery. (www.trendmicro.com)
MITRE ATT&CK mapping (observed / described)
| Tactic | Technique ID | Technique | Observed behaviour |
|---|---|---|---|
| Initial Access | T1189 (attack.mitre.org) | Drive-by Compromise | Lure to attacker-controlled lookalike sites leading to malware execution via user action. (intel471.com) |
| Resource Development | T1583.001 (attack.mitre.org) | Acquire Infrastructure: Domains | Registration and use of OpenClaw-themed domains for delivery. (intel471.com) |
| Execution | T1204.001 (attack.mitre.org) | User Execution: Malicious Link | Ads/search/social lead victims to attacker properties. (intel471.com) |
| Execution | T1204.002 (attack.mitre.org) | User Execution: Malicious File | Victims run downloaded EXEs or mount DMGs. (intel471.com) |
| Execution | T1204.004 (attack.mitre.org) | User Execution: Malicious Copy and Paste | ClickFix-style copy/paste execution to fetch payloads. (intel471.com) |
| Execution | T1059.003 (attack.mitre.org) | Windows Command Shell | Command-line strings used to download and run payloads. (intel471.com) |
| Defence Evasion | T1027 (attack.mitre.org) | Obfuscated Files or Information | Obfuscated JavaScript stealer logic and encoded request parameters. (intel471.com) |
| Defence Evasion | T1036 (attack.mitre.org) | Masquerading | Fake OpenClaw branding, fake assistants and installers. (intel471.com) |
| Defence Evasion | T1497 (attack.mitre.org) | Virtualisation/Sandbox Evasion | Hostname-based checks and related anti-analysis behaviour. (intel471.com) |
| Discovery | T1082 (attack.mitre.org) | System Information Discovery | Host profiling (OS, architecture, memory, language, uptime). (intel471.com) |
| Collection | T1005 (attack.mitre.org) | Data from Local System | Infostealers harvesting local data and (in some cases) OpenClaw artefacts. (intel471.com) |
| Command and Control | T1071.001 (attack.mitre.org) | Web Protocols | HTTP-based C2 for tasking and exfiltration. (intel471.com) |
| Exfiltration | T1041 (attack.mitre.org) | Exfiltration Over C2 Channel | Stolen data compressed/encoded and sent to C2 endpoints. (intel471.com) |
Future Outlook
Expect OpenClaw-themed lures to persist while the ecosystem remains volatile and adoption outpaces governance. Intel 471 assesses that infostealer operators will likely add more OpenClaw-specific collection logic to better identify and monetise agent-related secrets, while shifting delivery channels between ads, SEO and compromised repositories as defenders respond. (intel471.com)
Further Reading
- Intel 471’s report on OpenClaw lures, ClickFix delivery and IOCs. (intel471.com)
- Microsoft guidance on running OpenClaw safely (identity, isolation, runtime risk). (Microsoft)
- Microsoft’s deep dive on the ClickFix social engineering technique. (Microsoft)
- Trend Micro analysis of malicious OpenClaw skills distributing AMOS (plus IOC set). (www.trendmicro.com)
- Huntress analysis of fake OpenClaw installers on GitHub delivering infostealers and GhostSocks. (Huntress)
- BleepingComputer reporting on infostealers stealing OpenClaw configuration secrets in the wild. (BleepingComputer)