Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Linux and Ubiquiti Flaws, Accenture Breach, Android Exploit
July 12, 2026
Microsoft Teams macOS Bug Exposes Screen Sharing Content
July 12, 2026
Apple Sues OpenAI and Ex-Staff Over Alleged Trade Secret Theft
July 12, 2026
Home/Threats/Critical OpenClaw DeepSeek AI Skill Exploits Agentic Workflows to Deliver RAT and Stealer
Threats

Critical OpenClaw DeepSeek AI Skill Exploits Agentic Workflows to Deliver RAT and Stealer

Key Takeaways A new, sophisticated malware campaign leverages a fake “DeepSeek-Claw” skill for the OpenClaw AI framework to target developers and AI-driven systems. The attack exploits...

Jennifer sherman
Jennifer sherman
May 6, 2026 5 Min Read
50 0

Key Takeaways

  • A new, sophisticated malware campaign leverages a fake “DeepSeek-Claw” skill for the OpenClaw AI framework to target developers and AI-driven systems.
  • The attack exploits automated AI agent workflows to deliver either Remcos RAT (for Windows) or GhostLoader (for macOS/Linux/manual Windows installs), enabling remote control and extensive data theft.
  • Discovered by Zscaler ThreatLabZ in March 2026, the threat bypasses traditional security measures by embedding malicious commands within a seemingly legitimate GitHub-hosted plugin.
  • Compromised developer environments could lead to significant organizational infrastructure exposure, as the malware steals sensitive credentials, SSH keys, and cloud tokens.

A cunning malware operation is actively targeting developers and advanced AI systems by disguising itself as a legitimate plugin for an open-source AI framework. This campaign exploits the very nature of modern AI agents, weaponizing their automated workflows against unsuspecting users and the systems they aim to assist.

Table Of Content

  • Key Takeaways
  • How the OpenClaw Skill Attack Unfolds
  • GhostLoader and the Developer Data Threat
  • What You Should Do

The malicious payload, delivered via a fraudulent “DeepSeek-Claw” skill designed for the OpenClaw framework, pursues two primary objectives: establishing remote control over compromised machines and exfiltrating sensitive data. Its adaptable design allows it to tailor its attack based on the target operating system, ensuring persistence and versatility across Windows, macOS, and Linux environments.

Researchers at Zscaler ThreatLabZ first identified this campaign in March 2026. Their investigation revealed that the threat actor published the deceptive skill on GitHub, strategically anticipating that AI agents and developers would integrate it into automated workflows without rigorous scrutiny. By embedding hidden commands within a standard instruction file, the attackers circumvented the need for conventional phishing or social engineering tactics.

Upon the download of the malicious skill, the attack vector bifurcates based on the installation method. Windows users initiating the installation through an automated AI-driven path become infected with Remcos RAT, a potent remote access tool. Conversely, users on macOS, Linux, or those on Windows who opt for a manual installation path are instead compromised by GhostLoader, a cross-platform stealer designed to pilfer credentials and sensitive data from developer environments.

The ramifications of this attack extend far beyond individual machines. With Remcos providing attackers with full remote shell capabilities and GhostLoader siphoning cloud tokens, SSH keys, and browser session cookies, a single compromised developer workstation could potentially expose an entire organization’s infrastructure within minutes of executing what appears to be a routine installation command.

How the OpenClaw Skill Attack Unfolds

The OpenClaw framework, previously known as Clawdbot and Moltbot, is an open-source tool designed to enable AI agents to execute complex, high-privilege tasks on local systems. Its modular “skill” architecture proved to be the critical vulnerability exploited by the attackers. The counterfeit DeepSeek-Claw skill presented a legitimate facade, but its SKILL.md file covertly contained a poisoned PowerShell command. This command silently downloaded and executed a remote Windows Installer package from a server controlled by the threat actor.

OpenClaw skill markup file content showing commands that install Remcos RAT (Source - Zscaler)
OpenClaw skill markup file content showing commands that install Remcos RAT (Source – Zscaler)

This installer then deposited two files onto the system: a genuine, digitally signed GoToMeeting executable and a malicious DLL disguised as its dependency. When the trusted GoToMeeting application was launched, it was tricked into loading the fraudulent DLL instead—a technique known as DLL sideloading. The malicious DLL subsequently patched critical Windows security tools in memory to disable their detection capabilities before decrypting and initiating Remcos RAT, which established an encrypted communication channel back to the attacker’s command and control server.

Remcos immediately entered stealth mode upon execution, initiating keystroke logging, stealing browser cookies, and providing the attacker with an interactive reverse shell, granting them the ability to execute any command on the infected host. This entire execution chain, from a seemingly innocuous AI skill to full remote control, required no user intervention beyond a single automated installation step triggered by an AI agent.

GhostLoader and the Developer Data Threat

The alternative attack path, designed for macOS and Linux environments, utilized a heavily obfuscated Node.js file embedded within npm lifecycle scripts. When the installation command was executed, it silently deployed GhostLoader onto the system.

OpenClaw skill markup file content showing commands that install GhostLoader (Source - Zscaler)
OpenClaw skill markup file content showing commands that install GhostLoader (Source – Zscaler)

On macOS and Linux, the malware also presented deceptive password prompts, attempting to trick users into directly divulging their credentials. Once active, GhostLoader meticulously scoured the host for valuable assets, including macOS Keychain data, SSH keys, cryptocurrency wallet files, and cloud API tokens. All collected data was then exfiltrated to attacker-controlled servers.

Zscaler’s analysts emphasize that as AI agents become increasingly integrated into development pipelines, supply chain poisoning through counterfeit skills represents a growing threat. Organizations must rigorously vet all third-party plugins and enforce stringent behavioral monitoring for any tools interacting with privileged local resources.

Indicators of Compromise (IoCs):

  • MD5 Hash: 1c267cab0a800a7b2d598bc1b112d5ce (“DeepSeek-Claw” named OpenClaw Skill)
  • MD5 Hash: 2A5F619C966EF79F4586A433E3D5E7BA (MSI Installer)
  • URL: hxxps://cloudcraftshub[.]com/api (MSI download URL)
  • URL: hxxp://dropras[.]xyz/ (MSI download URL)
  • URL: https://github.com/Needvainverter93/deepseek-claw (Malicious GitHub repository)
  • MD5 Hash: CC1AF839A956C8E2BF8E721F5D3B7373 (Shellcode loader g2m.dll)
  • MD5 Hash: 2C4B7C8B48E6B4E5F3E8854F2ABFEDB5 (Remcos RAT payload)
  • IP:Port: 146[.]19.24[.]131:2404 (Remcos RAT C2 server)
  • URL: hxxps://trackpipe[.]dev (GhostLoader C2 server)

What You Should Do

  • Vet Third-Party AI Skills and Plugins: Implement a rigorous vetting process for all third-party AI skills, plugins, and libraries, especially those integrated into automated development workflows. Verify the authenticity and integrity of sources beyond basic reputation.
  • Implement Behavioral Monitoring: Deploy advanced endpoint detection and response (EDR) solutions with strong behavioral monitoring capabilities for all developer workstations and AI agent environments. Focus on detecting unusual process activity, network connections, and attempts to modify security tools.
  • Enforce Principle of Least Privilege: Ensure that AI agents and developer tools operate with the minimum necessary privileges. Limit their ability to execute arbitrary commands or interact with sensitive system resources.
  • Segment Developer Environments: Isolate developer environments from production systems and critical infrastructure. Implement network segmentation to limit lateral movement in case of a compromise.
  • Educate Developers on Supply Chain Risks: Conduct regular training for developers on the risks of supply chain attacks, especially concerning open-source components and AI frameworks. Emphasize the importance of verifying package authenticity.
  • Monitor for IoCs: Integrate the provided Indicators of Compromise (IoCs) into your security information and event management (SIEM) and threat intelligence platforms to detect potential infections.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarePatchphishingSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Iranian Hackers Target Oman Ministries with Webshells and Data Theft

Next Post

Critical Salesforce Marketing Cloud Flaw Exposed Email Data

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
CISA Report Details Lessons Learned From AWS GovCloud Credential Leak
July 11, 2026
281 Android VPN Apps Leak Sensitive Data, Transfer Data Unencrypted
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us