AI-Assisted OpenClaw Trap Targets Trap’ Campaign

A recently identified malware campaign is quietly spreading through fake GitHub repositories, simultaneously targeting software developers, gamers, Roblox players, and crypto users.

Tracked internally as TroyDen’s Lure Factory, the campaign deploys a custom LuaJIT trojan carefully designed to slip past automated security tools — a level of technical precision that points to a well-resourced threat actor.

The attack centers on a convincingly built GitHub repository — AAAbiola/openclaw-docker — that impersonates a Docker deployment tool for the legitimate OpenClaw AI project.

The repository features a polished README with installation instructions for both Windows and Linux, a companion GitHub.io page, and real contributors, including a developer with a 568-star repository of their own.

To further fake credibility, the attacker padded the project with throwaway accounts that added stars and forks, while carefully chosen topic tags — ai-agents, docker, openclaw, and LLM — pushed the repository to the top of developer search results.

Netskope Threat Labs researchers identified the campaign after detecting a trojanized package that used behavioral evasion techniques engineered to defeat automated analysis pipelines.

Their investigation found the same malicious toolchain running across more than 300 confirmed delivery packages — gaming cheats, phone trackers, VPN crackers, and Roblox scripts — all hosted across multiple GitHub repositories and all connecting back to the same attacker infrastructure.

The lure directory names, drawn from obscure biological taxonomy, archaic Latin, and medical terminology, strongly suggest the naming was machine-generated, pointing to AI-assisted malware production at scale.

The campaign’s impact stretches across a wide range of users. Every victim machine is geolocated the moment execution begins, and a full desktop screenshot is captured and sent to a C2 server in Frankfurt, Germany.

With eight confirmed IP addresses behind the same load-balanced backend, the infrastructure is clearly built for volume.

Researchers also connected the operator to a Telegram channel — @NumberLocationTrack — running under the name TroyDen since June 2025, suggesting this campaign was active months before the GitHub repositories appeared.

Two Files, One Weapon

The most technically distinctive part of this campaign is the way its payload is split to avoid detection.

Each malicious ZIP package contains three items: a batch file called Launch.bat, a renamed LuaJIT runtime named unc.exe, and an obfuscated Lua script hidden as license.txt. When either file is submitted to an automated scanner on its own, it appears harmless.

The threat only comes alive when the batch file runs both components together in the right order — a design that directly exploits how standard sandboxes analyze files individually. 

Once both pieces are armed, the payload runs through five anti-analysis checks — scanning for debugger presence, low RAM, short system uptime, elevated privilege access, and specific computer names.

If anything looks like a sandbox, execution stops. If not, a Sleep() call kicks in for roughly 29,000 years, long enough to outlast any timed analysis window. By the time a security tool reports a clean verdict, the payload has already executed on a real machine without leaving a trace in sandbox logs.

The Prometheus Obfuscator then rewrites the Lua script’s control flow, making static code analysis unreliable. Four registry writes disable Windows proxy auto-detection, pushing outbound traffic past corporate inspection layers.

The payload then captures the full desktop and uploads it via a hardcoded multipart POST to the Frankfurt C2 server, which responds with encrypted task and loader blobs saved to the victim’s Documents folder. 

The C2 boundary string — a fixed 38-character value repeated across every observed request — reveals the operator likely used AI-assisted code generation to build the server-side panel.

Anyone who downloaded packages from the three affected repositories should treat their machine as compromised and look for signs of unauthorized access.

Security teams should treat any GitHub download pairing a renamed interpreter with an opaque data file as a high-priority triage case.

The published IOCs should be deployed immediately into EDR and network monitoring tools, and all outbound connections to the confirmed C2 IP addresses should be blocked at the firewall level.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.