OpenClaw DeepSeek Skill Exploits AI Work Malicious Agentic
A sophisticated malware campaign targets developers and AI-driven systems, masquerading as a legitimate plugin for an open-source AI framework. Security researchers have uncovered a threat that takes...
A sophisticated malware campaign targets developers and AI-driven systems, masquerading as a legitimate plugin for an open-source AI framework.
Security researchers have uncovered a threat that takes full advantage of how modern AI agents work, using their automated nature as a weapon against the very users they are meant to help.
The malware, delivered through a fake “DeepSeek-Claw” skill for the OpenClaw framework, has two main goals: gain remote control over infected machines and steal sensitive data.
It accomplishes both by tailoring its attack to the operating system it lands on, making it a versatile and persistent threat that works across Windows, macOS, and Linux systems all at once.
Researchers at Zscaler ThreatLabZ were the ones who identified this campaign in March 2026. Their analysis revealed that the threat actor published the deceptive skill on GitHub, knowing that AI agents and developers would likely pull it into automated workflows without a second thought.
By embedding hidden commands inside a standard instruction file, the attacker bypassed the need for any traditional phishing or social engineering.
Once the malicious skill is downloaded, the attack splits into two distinct paths depending on how the installation is triggered. Windows users following the automated AI-driven path end up infected with Remcos RAT, a powerful remote access tool.
Those on macOS, Linux, or Windows using the manual path instead get hit with GhostLoader, a cross-platform stealer designed to drain developer environments of credentials and sensitive data.
The reach of this attack goes well beyond individual machines. With Remcos giving attackers a full remote shell and GhostLoader scooping up cloud tokens, SSH keys, and browser session cookies, a single compromised developer could expose an entire organization’s infrastructure within minutes of running what looked like a completely normal install command.
How the OpenClaw Skill Attack Unfolds
The OpenClaw framework, formerly known as Clawdbot and Moltbot, is an open-source tool built to let AI agents carry out complex, high-privilege tasks on local systems. Its modular “skill” design is exactly what the attacker exploited.
The fake DeepSeek-Claw skill appeared legitimate on the surface, but its SKILL.md file hid a poisoned PowerShell command that silently downloaded and ran a remote Windows Installer package from a threat actor-controlled server.
That installer dropped two files onto the system: a genuine, digitally signed GoToMeeting executable and a malicious DLL disguised as its dependency. When the trusted application ran, it loaded the fake DLL instead, a technique known as DLL sideloading.
The malicious DLL then patched key Windows security tools in memory to blind them before decrypting and launching Remcos RAT, which opened an encrypted channel back to the attacker.
Remcos set itself to stealth mode immediately upon execution, logging keystrokes, stealing browser cookies, and giving the attacker an interactive reverse shell with the ability to run any command on the infected host.
The entire execution chain, from a fake AI skill to full remote control, required no user awareness beyond a single automated install step triggered by an AI agent.
GhostLoader and the Developer Data Threat
The alternate attack path, built for macOS and Linux environments, used a heavily obfuscated Node.js file buried inside npm lifecycle scripts. When the install command ran, it silently dropped GhostLoader onto the system.
On macOS and Linux, the malware also displayed fake password prompts to trick users into handing over their credentials directly.
Once active, GhostLoader swept through the host for anything valuable: macOS Keychain data, SSH keys, cryptocurrency wallet files, and cloud API tokens. All of it was sent back to attacker-controlled servers.
Zscaler’s analysts noted that as AI agents become standard in development pipelines, supply chain poisoning through fake skills is a growing threat. Organizations should thoroughly vet all third-party plugins and enforce strict behavioral monitoring for any tools that interact with privileged local resources.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| MD5 Hash | 1c267cab0a800a7b2d598bc1b112d5ce | “DeepSeek-Claw” named OpenClaw Skill |
| MD5 Hash | 2A5F619C966EF79F4586A433E3D5E7BA | MSI Installer |
| URL | hxxps://cloudcraftshub[.]com/api | MSI download URL |
| URL | hxxp://dropras[.]xyz/ | MSI download URL |
| URL | https://github.com/Needvainverter93/deepseek-claw | Malicious GitHub repository |
| MD5 Hash | CC1AF839A956C8E2BF8E721F5D3B7373 | Shellcode loader (g2m.dll) |
| MD5 Hash | 2C4B7C8B48E6B4E5F3E8854F2ABFEDB5 | Remcos RAT payload |
| IP:Port | 146[.]19.24[.]131:2404 | Remcos RAT C2 server |
| URL | hxxps://trackpipe[.]dev | GhostLoader C2 server |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.