Hackers Steal Crypto & Passwords via Fake OpenClaw Installer
A new infostealer campaign is actively targeting highly sensitive data, including credentials for crypto wallets and password managers. Threat actors disguise the malware as a legitimate installer...
A new infostealer campaign is actively targeting highly sensitive data, including credentials for crypto wallets and password managers. Threat actors disguise the malware as a legitimate installer for OpenClaw, a popular open-source personal AI assistant. Once deployed, the sophisticated infostealer silently compromises systems, specifically targeting over 250 browser extensions linked to these critical financial and authentication tools. The
The attack begins at a convincing fake website, openclaw-installer.com, registered on March 9, 2026, which leads visitors to a file called OpenClaw_x64[.]7z. That archive contains a 130MB Rust-based executable padded with fake documentation to pass security scans. The size was deliberate. It clears antivirus file-size thresholds and breaks automated sandbox upload limits in a single move.
Researchers at Netskope Threat Labs uncovered the campaign and documented what they call the “Hologram” wave, a second and significantly more advanced iteration of the operation.
The dropper’s own manifest makes no attempt to hide its purpose, openly naming itself “Hologram” with the description “Decoy entity generator for tactical misdirection.”
Once the fake installer runs, it checks for signs that it is inside a virtual machine or sandbox. It scans for BIOS strings tied to virtual machines, suspicious software libraries, and hardware profiles that do not match real systems.
Hackers Use Fake OpenClaw Installer
If those checks pass, it waits for actual mouse movement before doing anything else. Automated sandboxes do not move the mouse, so the malware sits still and never gets flagged.
After confirming it is on a real machine, the dropper disables Windows Defender, opens firewall ports, and downloads six modular components that work together. The attacker receives a confirmation in their private Telegram channel once all six modules load successfully.
The credential theft component of this campaign is broad and organized. The malware fetches a targeting list from an attacker-controlled Azure DevOps organization, covering 250 browser extensions.
That list includes 201 crypto wallets such as MetaMask, Phantom, Coinbase, OKX, Rabby, and Ronin, plus 49 password managers and authenticator apps including Bitwarden, LastPass, 1Password, NordPass, KeePass, and Google Authenticator.
Because the list lives in a remote Git repository rather than hardcoded in any binary, the attacker can update targets without rewriting the malware. The list of apps being targeted can quietly grow without triggering new detections. Separately, the malware also accesses Ledger Live data on the filesystem, giving the attacker two independent theft paths.
The six stage-2 modules each carry a specific role. One collects hardware fingerprints to decide whether the victim is worth a full attack. Another opens a persistent connection to the attacker’s server.
A third loads a hidden .NET assembly entirely in memory using a Rust component called clroxide, a technique never before documented in a crimeware campaign. Persistence is layered across registry autoruns, a Windows logon hijack, a scheduled task, and Telegram-based droppers that survive even if the main implant is removed.
A Rapidly Evolving Threat With Rotating Infrastructure
What makes this campaign so hard to shut down is how the attacker handles their infrastructure. The command server address is never hardcoded in the malware. Instead, the implant reads it from a Telegram channel description, so if a domain gets blocked, it pulls a new one on the next check-in. During active analysis, the attacker rotated every layer before findings were published.
All victim data, including usernames, IP addresses, and timestamps, is routed through Hookdeck, a legitimate webhook relay service. This keeps the attacker’s Telegram bot token out of network traffic entirely, making it very difficult to trace the real command backend.
Security teams should watch for behavioral signals that survive domain rotation. These include unusually large installer files, PowerShell launched from dropped binaries with fragmented command names, outbound traffic to webhook relay domains, Azure DevOps connections from non-development processes, and firewall rules being opened programmatically on ports 56001 through 57002. Blocking individual domains alone is not enough. Application-level inspection and behavioral detection are necessary to catch what this campaign is doing inside trusted services.
Indicators of Compromise (IoCs):-
File Hashes
| Type | Indicator | Description |
|---|---|---|
| SHA256 | 4014048f8e60d39f724d5b1ae34210ffeac151e1f2d4813dbb51c719d4ad7c3a | OpenClaw_x64[.]exe — Hologram dropper v1.7.16 (Rust, 130MB padded) |
| SHA256 | f03736fadffcb7bef122d25d6ace8044378d4fa455f7f48081a3b32c80eb4ed2 | OpenClaw_x64[.]7z — Hologram dropper container archive |
| SHA256 | f554b6f34fd2710929d74af550ddb50633d36eaf0533f2d0cbbde75670676486 | OpenClaw_x64[.]exe — Pathfinder dropper v3.7.16 (Rust, 118MB padded) |
| SHA256 | 40fc240febf2441d58a7e2554e4590e172bfefd289a5d9fa6781de38e266b378 | svc_service[.]exe — Stealth Packer C2 beacon / CLR loader (Hologram) |
| SHA256 | 4fcfcb83145223cca6db85e7c840876ec8a56d78efba856ab70287b0e5c8a696 | svc_service[.]exe — Stealth Packer C2 beacon wave 2, beacons to 193.202.84.14:56001 (Pathfinder) |
| SHA256 | 605096b9729bd8eedab460dbd4baf702029fb59842020a27fc0f99fd2ef63040 | virtnetwork[.]exe — Stealth Packer HTTPS C2 tunnel (Hologram) |
| SHA256 | 6ae9f9cfa8e638e933ad8b06de7434c395ec68ee9cc4e735069bfb64646bb180 | onedrive_sync[.]exe — Reflective PE loader via memexec (Hologram) |
| SHA256 | 0c4a9d3579485eaf8801e5ac479cd322ee1e7161b54cc24689b891fa82ba0f1e | audioeq[.]exe — System fingerprinter / recon (Hologram) |
| SHA256 | fd67063ffb0bcde44dca5fea09cc0913150161d7cb13cffc2a001a0894f12690 | WinHealhCare[.]exe — Telegram-bot dropper v2.0 (Hologram) |
| SHA256 | d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e98d27297d819a1809846 | OneSync[.]exe — Telegram-bot dropper v1.6 (Hologram) |
| SHA256 | 787a28aff72f2ecd2f5e75baf284e61bda9ab8dd3905822c6f620cce809952e8 | vicloud[.]exe — Vidar infostealer (Pathfinder) |
| SHA256 | 1478ccc61b69cee462ea98621ba53adf2de0ce28355c5c4eafaed6d779c8acda | dbau[.]exe — Unknown role (Pathfinder) |
Domains
| Type | Indicator | Description |
|---|---|---|
| Domain | openclaw-installer.com | All waves — Delivery / typosquat site |
| Domain | hkdk.events | All waves — C2 Hookdeck relay |
| Domain | dev.azure.com | All waves — Payload staging (org: sagonbretzpr) |
| Domain | api.telegram.org | All waves — C2 / victim telemetry |
| Domain | frr.rubensbruno.adv.br | Hologram — Primary C2 (hijacked Brazilian law firm domain) |
| Domain | mikolirentryifosttry.info | Hologram — Secondary C2 |
| Domain | transcloud.cc | Hologram — C2 for svc_service[.]exe |
| Domain | steamhostserver.cc | Hologram — C2 rotation |
| Domain | serverconect.cc | Hologram — C2 rotation and loader staging |
| Domain | jollymccalister.lol | Hologram — Dead C2 |
| Domain | t.me/b8bz11 | Hologram — Telegram dead-drop |
| Domain | snippet.host | Hologram — Dead-drop |
| Domain | loclx.io | Hologram — C2 tunnel |
| Domain | hwd.hidayahnetwork.com | Pathfinder — Primary C2 |
| Domain | zkevopenanu.cfd | Pathfinder — Secondary C2 |
| Domain | Rr3Ueff.pw | Pathfinder — Candidate C2 / dead-drop (unconfirmed) |
| Domain | t.me/hgo9tx | Pathfinder — Telegram dead-drop |
| Domain | pastebin.com | Pathfinder — Dead-drop |
IP Addresses
| Type | Indicator | Description |
|---|---|---|
| IP | 188.114.97.3 | Hologram — Proxy for frr.rubensbruno.adv.br primary C2 |
| IP | 45.55.35.48 | Hologram — svc_service[.]exe C2 beacon (port 57001); steamhostserver[.]cc / serverconect[.]cc |
| IP | 193.202.84.14 | Pathfinder — svc_service[.]exe wave-2 C2 beacon (port 56001) |
| IP | 185.196.9.98 | Hologram — transcloud[.]cc resolution (svc_service[.]exe) |
| IP | 91.92.242.30 | Hologram — Infrastructure |
| IP | 147.45.197.92 | Hologram — Encrypted beacon from nested payload |
| IP | 94.228.161.88 | Hologram — Encrypted beacon from nested payload |
| IP | 86.54.42.72 | Hologram — jollymccalister.lol historical resolution; dead C2 |
Dead-drop and Staging URLs
| Type | Indicator | Description |
|---|---|---|
| URL | https://snippet.host/efguhk/raw | Hologram |
| URL | https://snippet.host/iqqmib/raw | Hologram |
| URL | https://snippet.host/wtbtew/raw | Hologram |
| URL | https://snippet.host/uikosx/raw | Hologram and Pathfinder |
| URL | https://pastebin.com/raw/M6KthA5Z | Hologram |
| URL | https://pastebin.com/raw/csi5UqpEw | Hologram |
| URL | https://pastebin.com/raw/fTxiyhbL | Hologram |
| URL | https://pastebin.com/raw/mcwWi1Ue | Hologram |
| URL | https://pastebin.com/raw/w6BVFFWQ | Pathfinder |
| URL | https://dev.azure.com/sagonbretzpr/ | All waves |
Mutexes
| Type | Indicator | Description |
|---|---|---|
| Mutex | GlobalStealthPackerMutex_9A8B7C | svc_service[.]exe, virtnetwork[.]exe |
| Mutex | Global{CoreTask1461}_ | onedrive_sync[.]exe |
| String | –johnpidar | Developer string in svc_service[.]exe |
Registry Keys
| Type | Indicator | Description |
|---|---|---|
| Registry | HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit | WinLogon Userinit hijack via svc_service[.]exe |
| Registry | HKCUSoftwareMicrosoftWindowsCurrentVersionRun{NetworkManager} | Autorun persistence via onedrive_sync[.]exe |
| Registry | HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindowsDefenderHelper | Autorun persistence via svc_service[.]exe |
Files and Paths
| Type | Indicator | Description |
|---|---|---|
| Path | C:UsersPublic | Stage-2 binary drop location |
| Path | C:ProgramDataMicrosoftWindowsStart MenuProgramsStartupOneDriveSync[.]lnk | Startup persistence LNK |
| Path | %APPDATA%RoamingDataConfigmanager[.]exe | Dropped secondary executable via onedrive_sync[.]exe |
| Path | %APPDATA%Ledger Live | Ledger hardware wallet theft target |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.