Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Former MEP Investigating Spyware Abuses Hacked With Pegasus
July 3, 2026
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit
July 3, 2026
Home/Threats/OpenClaw Trap Campaign: Trojanized GitHub Repos Target Devs and Gamers
Threats

OpenClaw Trap Campaign: Trojanized GitHub Repos Target Devs and Gamers

Key Takeaways A sophisticated new malware campaign, “OpenClaw Trap,” is targeting developers, gamers, and crypto users via trojanized GitHub repositories. The campaign utilizes a custom...

Jennifer sherman
Jennifer sherman
March 25, 2026 4 Min Read
47 0

Key Takeaways

  • A sophisticated new malware campaign, “OpenClaw Trap,” is targeting developers, gamers, and crypto users via trojanized GitHub repositories.
  • The campaign utilizes a custom LuaJIT trojan designed to evade automated analysis by splitting its payload and employing advanced anti-detection techniques.
  • Victim machines are geolocated, and full desktop screenshots are exfiltrated to a C2 server in Frankfurt, Germany.
  • The threat actor behind the campaign operates extensive infrastructure and may be leveraging AI for malware generation and naming conventions.

A cunning new malware operation is actively compromising software developers, gamers, Roblox enthusiasts, and cryptocurrency users through a network of deceptive GitHub repositories. This campaign, internally designated as “TroyDen’s Lure Factory,” deploys a custom-built LuaJIT trojan specifically engineered to bypass conventional security scanning tools, indicating a high level of technical proficiency and significant resources behind the threat actor.

Table Of Content

  • Key Takeaways
  • Two Files, One Weapon
  • What You Should Do

At the heart of this attack is a meticulously crafted GitHub repository, AAAbiola/openclaw-docker, which masquerades as a legitimate Docker deployment tool for the OpenClaw AI project. The repository presents a convincing facade, including a professional README file with detailed installation instructions for both Windows and Linux, a complementary GitHub.io page, and even features contributions from seemingly legitimate developers, one of whom boasts a repository with 568 stars.

To further bolster its credibility, the attacker strategically inflated the project’s popularity with numerous throwaway accounts that added stars and forks. Carefully selected topic tags such as “ai-agents,” “docker,” “openclaw,” and “LLM” were employed to push the repository to prominent positions in developer search results, increasing its visibility and potential victim pool.

Netskope Threat Labs researchers uncovered the campaign after identifying a trojanized software package that exhibited unique behavioral evasion techniques designed to defeat automated analysis pipelines. Their subsequent investigation revealed that the same malicious toolchain was present across more than 300 confirmed delivery packages. These packages, disguised as gaming cheats, phone trackers, VPN crackers, and Roblox scripts, were hosted across multiple GitHub repositories, all tracing back to the identical attacker infrastructure.

Intriguingly, the lure directory names, which draw from obscure biological taxonomy, archaic Latin, and medical terminology, strongly suggest machine generation. This points towards the potential use of AI-assisted methods for large-scale malware production and naming, further highlighting the advanced nature of this operation.

The campaign’s reach is broad, impacting a diverse range of users. Upon successful execution, each victim machine is immediately geolocated, and a complete desktop screenshot is captured and transmitted to a command-and-control (C2) server located in Frankfurt, Germany. With eight confirmed IP addresses operating behind a load-balanced backend, the infrastructure is clearly designed to handle a high volume of compromised systems.

Researchers also linked the operator to a Telegram channel, @NumberLocationTrack, which has been active under the name “TroyDen” since June 2025. This suggests that the campaign was already operational for several months before the deceptive GitHub repositories began to appear.

Two Files, One Weapon

A particularly distinctive technical aspect of this campaign is its method of payload delivery, which is split to bypass detection. Each malicious ZIP archive contains three distinct components: a batch file named Launch.bat, a renamed LuaJIT runtime executable called unc.exe, and an obfuscated Lua script disguised as license.txt. When these files are submitted individually to automated scanners, they appear benign.

The threat only activates when the batch file executes both components in the correct sequence. This design cleverly exploits how standard sandboxes typically analyze files in isolation, allowing the combined threat to evade detection. Once armed, the payload initiates a series of five anti-analysis checks, looking for debuggers, low RAM, short system uptime, elevated privilege access, and specific computer names. If any indicators of a sandbox environment are detected, execution is halted.

If the environment appears legitimate, a Sleep() call is triggered for approximately 29,000 years, a duration far exceeding any timed analysis window. This tactic ensures that by the time a security tool reports a clean verdict, the payload has already executed on a real machine, leaving no trace in sandbox logs. Subsequently, the Prometheus Obfuscator rewrites the Lua script’s control flow, rendering static code analysis unreliable. Four registry modifications disable Windows proxy auto-detection, enabling outbound traffic to bypass corporate inspection layers.

The payload then captures the victim’s full desktop and uploads it via a hardcoded multipart POST request to the Frankfurt C2 server. The server responds by sending encrypted task and loader blobs, which are then saved to the victim’s Documents folder. The C2 boundary string—a fixed 38-character value consistently observed across all requests—suggests the operator likely utilized AI-assisted code generation for the server-side panel.

What You Should Do

  • Any machine that has downloaded packages from the identified malicious repositories should be considered compromised and thoroughly investigated for signs of unauthorized access.
  • Security teams should prioritize any GitHub download that pairs a renamed interpreter with an opaque data file for immediate triage and investigation.
  • Deploy the published Indicators of Compromise (IOCs) into your EDR and network monitoring tools without delay.
  • Block all outbound connections to the confirmed C2 IP addresses at the firewall level to prevent further exfiltration and control.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Mozilla Firefox 114 Patches Critical Remote Code Execution Vulnerability

Next Post

Infostealers Expose Victims on Dark Web Within 48 Hours

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us