Fake OpenClaw Installer Steals Crypto Wallet and Password Manager Credentials
Key Takeaways A sophisticated infostealer campaign, dubbed “Hologram” by researchers, is actively distributing malware disguised as an installer for the OpenClaw AI assistant. The malware...
Key Takeaways
- A sophisticated infostealer campaign, dubbed “Hologram” by researchers, is actively distributing malware disguised as an installer for the OpenClaw AI assistant.
- The malware targets over 250 browser extensions, including popular crypto wallets like MetaMask and Coinbase, as well as password managers such as LastPass and 1Password.
- Initial infection occurs via a convincing fake website, openclaw-installer.com, distributing a large, Rust-based executable designed to evade traditional security defenses.
- The threat employs advanced anti-analysis techniques, modular components, and dynamic command-and-control infrastructure to ensure persistence and evade detection.
Sophisticated Infostealer Targets Crypto Wallets and Password Managers
A new infostealer operation is aggressively pursuing highly sensitive user data, specifically credentials associated with cryptocurrency wallets and password managers. Threat actors are cloaking their malicious software as a legitimate installer for OpenClaw, an open-source personal AI assistant. Once established on a system, this advanced infostealer meticulously compromises targets, focusing on more than 250 browser extensions crucial for financial transactions and authentication.
Table Of Content
The attack chain commences with a deceptive website, openclaw-installer.com, registered on March 9, 2026. This site directs visitors to download a file named OpenClaw_x64[.]7z. Inside this archive lies a 130MB Rust-based executable, strategically padded with non-functional documentation. This deliberate file size is a tactic to bypass common antivirus file-size thresholds and overwhelm automated sandbox upload limits, thereby aiding its stealthy deployment. Netskope Threat Labs researchers were instrumental in uncovering this campaign, which they have designated the “Hologram” wave. This represents a more advanced iteration of the operation. Intriguingly, the dropper’s own manifest explicitly identifies itself as “Hologram,” with the description: “Decoy entity generator for tactical misdirection.”
The fake installer initiates a series of checks to detect virtual machine or sandbox environments. It scrutinizes BIOS strings, suspicious software libraries, and hardware profiles for discrepancies indicative of an emulated system. If these preliminary checks are successfully evaded, the malware then patiently awaits genuine mouse movement before proceeding. This tactic is designed to thwart automated sandboxes, which typically lack such human interaction, leaving the malware dormant and undetected.

Upon confirming its presence on a live user machine, the dropper disables Windows Defender, opens specific firewall ports, and then downloads six distinct modular components. The attackers receive real-time confirmation in a private Telegram channel once all six modules have successfully loaded.
The scope of credential theft in this campaign is extensive and meticulously organized. The malware retrieves a dynamic targeting list from an attacker-controlled Azure DevOps organization. This list encompasses 250 browser extensions, including 201 crypto wallets such as MetaMask, Phantom, Coinbase, OKX, Rabby, and Ronin, alongside 49 password managers and authenticator applications like Bitwarden, LastPass, 1Password, NordPass, KeePass, and Google Authenticator. Additionally, the malware independently accesses Ledger Live data directly from the filesystem, establishing two distinct avenues for data exfiltration.
A key element of this campaign’s resilience is the remote management of the target list, hosted within a Git repository. This allows the attackers to modify and expand the list of targeted applications without needing to recompile or redeploy the core malware, enabling silent and continuous expansion of their attack surface without triggering new detections.
The six stage-2 modules each perform specialized functions. One module is dedicated to collecting hardware fingerprints, enabling the attackers to assess the value of a compromised system. Another establishes a persistent connection to the attacker’s command-and-control server. A third module employs a novel technique, loading a hidden .NET assembly entirely in memory using a Rust component named clroxide—a method previously undocumented in crimeware campaigns. The malware ensures robust persistence through multiple mechanisms, including registry autoruns, a Windows logon hijack, a scheduled task, and Telegram-based droppers, which can restore the implant even if the primary components are removed.
A Rapidly Evolving Threat With Rotating Infrastructure
A significant challenge in neutralizing this campaign stems from the attackers’ dynamic infrastructure management. The command server address is never hardcoded into the malware. Instead, the implant retrieves it from a Telegram channel description. This ingenious design allows the attackers to instantly switch to a new domain if an existing one is blocked, ensuring continuous operation. During active analysis, the attackers demonstrated this agility by rotating every layer of their infrastructure before research findings could be publicly disseminated.

All exfiltrated victim data, including usernames, IP addresses, and timestamps, is routed through Hookdeck, a legitimate webhook relay service. This sophisticated approach prevents the attacker’s Telegram bot token from appearing in network traffic, significantly complicating efforts to trace the actual command backend.
What You Should Do
- Exercise Extreme Caution with Downloads: Always download software directly from official vendor websites. Be highly suspicious of third-party download sites, even if they appear legitimate.
- Verify Website Authenticity: Before downloading any software, double-check the URL for typosquatting or subtle misspellings (e.g., “openclaw-installer.com” instead of the official domain).
- Enable Advanced Endpoint Detection: Implement and maintain Endpoint Detection and Response (EDR) solutions capable of behavioral analysis, as signature-based detection may be insufficient against such sophisticated threats.
- Monitor for Unusual Network Activity: Look for outbound traffic to known webhook relay domains (e.g., hkdk.events), unexpected connections to Azure DevOps from non-development processes, and programmatic opening of firewall ports in the 56001-57002 range.
- Implement Application-Level Inspection: Utilize security tools that can inspect traffic at the application layer to detect malicious activity within otherwise trusted services.
- Educate Users: Conduct regular cybersecurity awareness training for all users on phishing, suspicious downloads, and the importance of verifying software sources.
- Review Indicators of Compromise (IoCs): Integrate the provided IoCs into your security information and event management (SIEM) systems and threat intelligence platforms for proactive detection.
Indicators of Compromise (IoCs):-
File Hashes
| Type | Indicator | Description |
|---|---|---|
| SHA256 | 4014048f8e60d39f724d5b1ae34210ffeac151e1f2d4813dbb51c719d4ad7c3a | OpenClaw_x64[.]exe — Hologram dropper v1.7.16 (Rust, 130MB padded) |
| SHA256 | f03736fadffcb7bef122d25d6ace8044378d4fa455f7f48081a3b32c80eb4ed2 | OpenClaw_x64[.]7z — Hologram dropper container archive |
| SHA256 | f554b6f34fd2710929d74af550ddb50633d36eaf0533f2d0cbbde75670676486 | OpenClaw_x64[.]exe — Pathfinder dropper v3.7.16 (Rust, 118MB padded) |
| SHA256 | 40fc240febf2441d58a7e2554e4590e172bfefd289a5d9fa6781de38e266b378 | svc_service[.]exe — Stealth Packer C2 beacon / CLR loader (Hologram) |
| SHA256 | 4fcfcb83145223cca6db85e7c840876ec8a56d78efba85ab70287b0e5c8a696 | svc_service[.]exe — Stealth Packer C2 beacon wave 2, beacons to 193.202.84.14:56001 (Pathfinder) |
| SHA256 | 605096b9729bd8eedab460dbd4baf702029fb59842020a27fc0f99fd2ef63040 | virtnetwork[.]exe — Stealth Packer HTTPS C2 tunnel (Hologram) |
| SHA256 | 6ae9f9cfa8e638e933ad8b06de7434c395ec68ee9cc4e735069bfb64646bb180 | onedrive_sync[.]exe — Reflective PE loader via memexec (Hologram) |
| SHA256 | 0c4a9d3579485eaf8801e5ac479cd322ee1e7161b54cc24689b891fa82ba0f1e | audioeq[.]exe — System fingerprinter / recon (Hologram) |
| SHA256 | fd67063ffb0bcde44dca5fea09cc0913150161d7cb13cffc2a001a0894f12690 | WinHealhCare[.]exe — Telegram-bot dropper v2.0 (Hologram) |
| SHA256 | d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e98d27297d819a1809846 | OneSync[.]exe — Telegram-bot dropper v1.6 (Hologram) |
| SHA256 | 787a28aff72f2ecd2f5e75baf284e61bda9ab8dd3905822c6f620cce809952e8 | vicloud[.]exe — Vidar infostealer (Pathfinder) |
| SHA256 | 1478ccc61b69cee462ea98621ba53adf2de0ce28355c5c4eafaed6d779c8acda | dbau[.]exe — Unknown role (Pathfinder) |
Domains
| Type | Indicator | Description |
|---|---|---|
| Domain | openclaw-installer.com | All waves — Delivery / typosquat site |
| Domain | hkdk.events | All waves — C2 Hookdeck relay |
| Domain | dev.azure.com | All waves — Payload staging (org: sagonbretzpr) |
| Domain | api.telegram.org | All waves — C2 / victim telemetry |
| Domain | frr.rubensbruno.adv.br | Hologram — Primary C2 (hijacked Brazilian law firm domain) |
| Domain | mikolirentryifosttry.info | Hologram — Secondary C2 |
| Domain | transcloud.cc | Hologram — C2 for svc_service[.]exe |
| Domain | steamhostserver.cc | Hologram — C2 rotation |
| Domain | serverconect.cc | Hologram — C2 rotation and loader staging |
| Domain | jollymccalister.lol | Hologram — Dead C2 |
| Domain | t.me/b8bz11 | Hologram — Telegram dead-drop |
| Domain | snippet.host | Hologram — Dead-drop |
| Domain | loclx.io | Hologram — C2 tunnel |
| Domain | hwd.hidayahnetwork.com | Pathfinder — Primary C2 |
| Domain | zkevopenanu.cfd | Pathfinder — Secondary C2 |
| Domain | Rr3Ueff.pw | Pathfinder — Candidate C2 / dead-drop (unconfirmed) |
| Domain | t.me/hgo9tx | Pathfinder — Telegram dead-drop |
| Domain | pastebin.com | Pathfinder — Dead-drop |
IP Addresses
| Type | Indicator | Description |
|---|---|---|
| IP | 188.114.97.3 | Hologram — Proxy for frr.rubensbruno.adv.br primary C2 |
| IP | 45.55.35.48 | Hologram — svc_service[.]exe C2 beacon (port 57001); steamhostserver[.]cc / serverconect[.]cc |
| IP | 193.202.84.14 | Pathfinder — svc_service[.]exe wave-2 C2 beacon (port 56001) |
| IP | 185.196.9.98 | Hologram — transcloud[.]cc resolution (svc_service[.]exe) |
| IP | 91.92.242.30 | Hologram — Infrastructure |
| IP | 147.45.197.92 | Hologram — Encrypted beacon from nested payload |
| IP | 94.228.161.88 | Hologram — Encrypted beacon from nested payload |
| IP | 86.54.42.72 | Hologram — jollymccalister.lol historical resolution; dead C2 |
Dead-drop and Staging URLs
| Type | Indicator | Description |
|---|---|---|
| URL | https://snippet.host/efguhk/raw | Hologram |
| URL | https://snippet.host/iqqmib/raw | Hologram |
| URL | https://snippet.host/wtbtew/raw | Hologram |
| URL | https://snippet.host/uikosx/raw | Hologram and Pathfinder |
| URL | https://pastebin.com/raw/M6KthA5Z | Hologram |
| URL | https://pastebin.com/raw/csi5UqpEw | Hologram |
| URL | https://pastebin.com/
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources. |



No Comment! Be the first one.