Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AnyDesk Critical 0-Day Vulnerability Lets Attackers Trigger DoS
July 16, 2026
Next.js Launches Monthly Security Releases, Patches 9 Vulnerabilities
July 16, 2026
SonicWall SMA 1000 Zero-Day Actively Exploited
July 16, 2026
Home/Threats/Fake OpenClaw Installer Steals Crypto Wallet and Password Manager Credentials
Threats

Fake OpenClaw Installer Steals Crypto Wallet and Password Manager Credentials

Key Takeaways A sophisticated infostealer campaign, dubbed “Hologram” by researchers, is actively distributing malware disguised as an installer for the OpenClaw AI assistant. The malware...

Marcus Rodriguez
Marcus Rodriguez
May 8, 2026 5 Min Read
51 0

Key Takeaways

  • A sophisticated infostealer campaign, dubbed “Hologram” by researchers, is actively distributing malware disguised as an installer for the OpenClaw AI assistant.
  • The malware targets over 250 browser extensions, including popular crypto wallets like MetaMask and Coinbase, as well as password managers such as LastPass and 1Password.
  • Initial infection occurs via a convincing fake website, openclaw-installer.com, distributing a large, Rust-based executable designed to evade traditional security defenses.
  • The threat employs advanced anti-analysis techniques, modular components, and dynamic command-and-control infrastructure to ensure persistence and evade detection.

Sophisticated Infostealer Targets Crypto Wallets and Password Managers

A new infostealer operation is aggressively pursuing highly sensitive user data, specifically credentials associated with cryptocurrency wallets and password managers. Threat actors are cloaking their malicious software as a legitimate installer for OpenClaw, an open-source personal AI assistant. Once established on a system, this advanced infostealer meticulously compromises targets, focusing on more than 250 browser extensions crucial for financial transactions and authentication.

Table Of Content

  • Key Takeaways
  • Sophisticated Infostealer Targets Crypto Wallets and Password Managers
  • A Rapidly Evolving Threat With Rotating Infrastructure
  • What You Should Do
  • Indicators of Compromise (IoCs):-
  • File Hashes
  • Domains
  • IP Addresses
  • Dead-drop and Staging URLs

The attack chain commences with a deceptive website, openclaw-installer.com, registered on March 9, 2026. This site directs visitors to download a file named OpenClaw_x64[.]7z. Inside this archive lies a 130MB Rust-based executable, strategically padded with non-functional documentation. This deliberate file size is a tactic to bypass common antivirus file-size thresholds and overwhelm automated sandbox upload limits, thereby aiding its stealthy deployment. Netskope Threat Labs researchers were instrumental in uncovering this campaign, which they have designated the “Hologram” wave. This represents a more advanced iteration of the operation. Intriguingly, the dropper’s own manifest explicitly identifies itself as “Hologram,” with the description: “Decoy entity generator for tactical misdirection.”

The fake installer initiates a series of checks to detect virtual machine or sandbox environments. It scrutinizes BIOS strings, suspicious software libraries, and hardware profiles for discrepancies indicative of an emulated system. If these preliminary checks are successfully evaded, the malware then patiently awaits genuine mouse movement before proceeding. This tactic is designed to thwart automated sandboxes, which typically lack such human interaction, leaving the malware dormant and undetected.

Fake OpenClaw Graphical Installer Page (Source - Netskope)
Fake OpenClaw Graphical Installer Page (Source – Netskope)

Upon confirming its presence on a live user machine, the dropper disables Windows Defender, opens specific firewall ports, and then downloads six distinct modular components. The attackers receive real-time confirmation in a private Telegram channel once all six modules have successfully loaded.

The scope of credential theft in this campaign is extensive and meticulously organized. The malware retrieves a dynamic targeting list from an attacker-controlled Azure DevOps organization. This list encompasses 250 browser extensions, including 201 crypto wallets such as MetaMask, Phantom, Coinbase, OKX, Rabby, and Ronin, alongside 49 password managers and authenticator applications like Bitwarden, LastPass, 1Password, NordPass, KeePass, and Google Authenticator. Additionally, the malware independently accesses Ledger Live data directly from the filesystem, establishing two distinct avenues for data exfiltration.

A key element of this campaign’s resilience is the remote management of the target list, hosted within a Git repository. This allows the attackers to modify and expand the list of targeted applications without needing to recompile or redeploy the core malware, enabling silent and continuous expansion of their attack surface without triggering new detections.

The six stage-2 modules each perform specialized functions. One module is dedicated to collecting hardware fingerprints, enabling the attackers to assess the value of a compromised system. Another establishes a persistent connection to the attacker’s command-and-control server. A third module employs a novel technique, loading a hidden .NET assembly entirely in memory using a Rust component named clroxide—a method previously undocumented in crimeware campaigns. The malware ensures robust persistence through multiple mechanisms, including registry autoruns, a Windows logon hijack, a scheduled task, and Telegram-based droppers, which can restore the implant even if the primary components are removed.

A Rapidly Evolving Threat With Rotating Infrastructure

A significant challenge in neutralizing this campaign stems from the attackers’ dynamic infrastructure management. The command server address is never hardcoded into the malware. Instead, the implant retrieves it from a Telegram channel description. This ingenious design allows the attackers to instantly switch to a new domain if an existing one is blocked, ensuring continuous operation. During active analysis, the attackers demonstrated this agility by rotating every layer of their infrastructure before research findings could be publicly disseminated.

Screenshot showing the OneDriveSync startup link (Source - Netskope)
Screenshot showing the OneDriveSync startup link (Source – Netskope)

All exfiltrated victim data, including usernames, IP addresses, and timestamps, is routed through Hookdeck, a legitimate webhook relay service. This sophisticated approach prevents the attacker’s Telegram bot token from appearing in network traffic, significantly complicating efforts to trace the actual command backend.

What You Should Do

  • Exercise Extreme Caution with Downloads: Always download software directly from official vendor websites. Be highly suspicious of third-party download sites, even if they appear legitimate.
  • Verify Website Authenticity: Before downloading any software, double-check the URL for typosquatting or subtle misspellings (e.g., “openclaw-installer.com” instead of the official domain).
  • Enable Advanced Endpoint Detection: Implement and maintain Endpoint Detection and Response (EDR) solutions capable of behavioral analysis, as signature-based detection may be insufficient against such sophisticated threats.
  • Monitor for Unusual Network Activity: Look for outbound traffic to known webhook relay domains (e.g., hkdk.events), unexpected connections to Azure DevOps from non-development processes, and programmatic opening of firewall ports in the 56001-57002 range.
  • Implement Application-Level Inspection: Utilize security tools that can inspect traffic at the application layer to detect malicious activity within otherwise trusted services.
  • Educate Users: Conduct regular cybersecurity awareness training for all users on phishing, suspicious downloads, and the importance of verifying software sources.
  • Review Indicators of Compromise (IoCs): Integrate the provided IoCs into your security information and event management (SIEM) systems and threat intelligence platforms for proactive detection.

Indicators of Compromise (IoCs):-

File Hashes

Type Indicator Description
SHA256 4014048f8e60d39f724d5b1ae34210ffeac151e1f2d4813dbb51c719d4ad7c3a OpenClaw_x64[.]exe — Hologram dropper v1.7.16 (Rust, 130MB padded)
SHA256 f03736fadffcb7bef122d25d6ace8044378d4fa455f7f48081a3b32c80eb4ed2 OpenClaw_x64[.]7z — Hologram dropper container archive
SHA256 f554b6f34fd2710929d74af550ddb50633d36eaf0533f2d0cbbde75670676486 OpenClaw_x64[.]exe — Pathfinder dropper v3.7.16 (Rust, 118MB padded)
SHA256 40fc240febf2441d58a7e2554e4590e172bfefd289a5d9fa6781de38e266b378 svc_service[.]exe — Stealth Packer C2 beacon / CLR loader (Hologram)
SHA256 4fcfcb83145223cca6db85e7c840876ec8a56d78efba85ab70287b0e5c8a696 svc_service[.]exe — Stealth Packer C2 beacon wave 2, beacons to 193.202.84.14:56001 (Pathfinder)
SHA256 605096b9729bd8eedab460dbd4baf702029fb59842020a27fc0f99fd2ef63040 virtnetwork[.]exe — Stealth Packer HTTPS C2 tunnel (Hologram)
SHA256 6ae9f9cfa8e638e933ad8b06de7434c395ec68ee9cc4e735069bfb64646bb180 onedrive_sync[.]exe — Reflective PE loader via memexec (Hologram)
SHA256 0c4a9d3579485eaf8801e5ac479cd322ee1e7161b54cc24689b891fa82ba0f1e audioeq[.]exe — System fingerprinter / recon (Hologram)
SHA256 fd67063ffb0bcde44dca5fea09cc0913150161d7cb13cffc2a001a0894f12690 WinHealhCare[.]exe — Telegram-bot dropper v2.0 (Hologram)
SHA256 d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e98d27297d819a1809846 OneSync[.]exe — Telegram-bot dropper v1.6 (Hologram)
SHA256 787a28aff72f2ecd2f5e75baf284e61bda9ab8dd3905822c6f620cce809952e8 vicloud[.]exe — Vidar infostealer (Pathfinder)
SHA256 1478ccc61b69cee462ea98621ba53adf2de0ce28355c5c4eafaed6d779c8acda dbau[.]exe — Unknown role (Pathfinder)

Domains

Type Indicator Description
Domain openclaw-installer.com All waves — Delivery / typosquat site
Domain hkdk.events All waves — C2 Hookdeck relay
Domain dev.azure.com All waves — Payload staging (org: sagonbretzpr)
Domain api.telegram.org All waves — C2 / victim telemetry
Domain frr.rubensbruno.adv.br Hologram — Primary C2 (hijacked Brazilian law firm domain)
Domain mikolirentryifosttry.info Hologram — Secondary C2
Domain transcloud.cc Hologram — C2 for svc_service[.]exe
Domain steamhostserver.cc Hologram — C2 rotation
Domain serverconect.cc Hologram — C2 rotation and loader staging
Domain jollymccalister.lol Hologram — Dead C2
Domain t.me/b8bz11 Hologram — Telegram dead-drop
Domain snippet.host Hologram — Dead-drop
Domain loclx.io Hologram — C2 tunnel
Domain hwd.hidayahnetwork.com Pathfinder — Primary C2
Domain zkevopenanu.cfd Pathfinder — Secondary C2
Domain Rr3Ueff.pw Pathfinder — Candidate C2 / dead-drop (unconfirmed)
Domain t.me/hgo9tx Pathfinder — Telegram dead-drop
Domain pastebin.com Pathfinder — Dead-drop

IP Addresses

Type Indicator Description
IP 188.114.97.3 Hologram — Proxy for frr.rubensbruno.adv.br primary C2
IP 45.55.35.48 Hologram — svc_service[.]exe C2 beacon (port 57001); steamhostserver[.]cc / serverconect[.]cc
IP 193.202.84.14 Pathfinder — svc_service[.]exe wave-2 C2 beacon (port 56001)
IP 185.196.9.98 Hologram — transcloud[.]cc resolution (svc_service[.]exe)
IP 91.92.242.30 Hologram — Infrastructure
IP 147.45.197.92 Hologram — Encrypted beacon from nested payload
IP 94.228.161.88 Hologram — Encrypted beacon from nested payload
IP 86.54.42.72 Hologram — jollymccalister.lol historical resolution; dead C2

Dead-drop and Staging URLs

Type Indicator Description
URL https://snippet.host/efguhk/raw Hologram
URL https://snippet.host/iqqmib/raw Hologram
URL https://snippet.host/wtbtew/raw Hologram
URL https://snippet.host/uikosx/raw Hologram and Pathfinder
URL https://pastebin.com/raw/M6KthA5Z Hologram
URL https://pastebin.com/raw/csi5UqpEw Hologram
URL https://pastebin.com/

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

ZiChatBot Malware Uses Zulip API for Command and Control

Next Post

Skoda Online Shop Security Incident Exposes Customer Data

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Dutch Police Dismantle €100M Investment Fraud Network, 20 Call Centers Shut Down
July 16, 2026
JetBrains Patches 6 Vulnerabilities in TeamCity, YouTrack, IntelliJ IDEA
July 16, 2026
WhatsApp GhostPairing Flaw Lets Attackers Hijack Accounts
July 16, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us