Critical OpenClaw DeepSeek AI Skill Exploits Agentic Workflows to Deliver RAT and Stealer
Key Takeaways A new, sophisticated malware campaign leverages a fake “DeepSeek-Claw” skill for the OpenClaw AI framework to target developers and AI-driven systems. The attack exploits...
Key Takeaways
- A new, sophisticated malware campaign leverages a fake “DeepSeek-Claw” skill for the OpenClaw AI framework to target developers and AI-driven systems.
- The attack exploits automated AI agent workflows to deliver either Remcos RAT (for Windows) or GhostLoader (for macOS/Linux/manual Windows installs), enabling remote control and extensive data theft.
- Discovered by Zscaler ThreatLabZ in March 2026, the threat bypasses traditional security measures by embedding malicious commands within a seemingly legitimate GitHub-hosted plugin.
- Compromised developer environments could lead to significant organizational infrastructure exposure, as the malware steals sensitive credentials, SSH keys, and cloud tokens.
A cunning malware operation is actively targeting developers and advanced AI systems by disguising itself as a legitimate plugin for an open-source AI framework. This campaign exploits the very nature of modern AI agents, weaponizing their automated workflows against unsuspecting users and the systems they aim to assist.
Table Of Content
The malicious payload, delivered via a fraudulent “DeepSeek-Claw” skill designed for the OpenClaw framework, pursues two primary objectives: establishing remote control over compromised machines and exfiltrating sensitive data. Its adaptable design allows it to tailor its attack based on the target operating system, ensuring persistence and versatility across Windows, macOS, and Linux environments.
Researchers at Zscaler ThreatLabZ first identified this campaign in March 2026. Their investigation revealed that the threat actor published the deceptive skill on GitHub, strategically anticipating that AI agents and developers would integrate it into automated workflows without rigorous scrutiny. By embedding hidden commands within a standard instruction file, the attackers circumvented the need for conventional phishing or social engineering tactics.
Upon the download of the malicious skill, the attack vector bifurcates based on the installation method. Windows users initiating the installation through an automated AI-driven path become infected with Remcos RAT, a potent remote access tool. Conversely, users on macOS, Linux, or those on Windows who opt for a manual installation path are instead compromised by GhostLoader, a cross-platform stealer designed to pilfer credentials and sensitive data from developer environments.
The ramifications of this attack extend far beyond individual machines. With Remcos providing attackers with full remote shell capabilities and GhostLoader siphoning cloud tokens, SSH keys, and browser session cookies, a single compromised developer workstation could potentially expose an entire organization’s infrastructure within minutes of executing what appears to be a routine installation command.
How the OpenClaw Skill Attack Unfolds
The OpenClaw framework, previously known as Clawdbot and Moltbot, is an open-source tool designed to enable AI agents to execute complex, high-privilege tasks on local systems. Its modular “skill” architecture proved to be the critical vulnerability exploited by the attackers. The counterfeit DeepSeek-Claw skill presented a legitimate facade, but its SKILL.md file covertly contained a poisoned PowerShell command. This command silently downloaded and executed a remote Windows Installer package from a server controlled by the threat actor.

This installer then deposited two files onto the system: a genuine, digitally signed GoToMeeting executable and a malicious DLL disguised as its dependency. When the trusted GoToMeeting application was launched, it was tricked into loading the fraudulent DLL instead—a technique known as DLL sideloading. The malicious DLL subsequently patched critical Windows security tools in memory to disable their detection capabilities before decrypting and initiating Remcos RAT, which established an encrypted communication channel back to the attacker’s command and control server.
Remcos immediately entered stealth mode upon execution, initiating keystroke logging, stealing browser cookies, and providing the attacker with an interactive reverse shell, granting them the ability to execute any command on the infected host. This entire execution chain, from a seemingly innocuous AI skill to full remote control, required no user intervention beyond a single automated installation step triggered by an AI agent.
GhostLoader and the Developer Data Threat
The alternative attack path, designed for macOS and Linux environments, utilized a heavily obfuscated Node.js file embedded within npm lifecycle scripts. When the installation command was executed, it silently deployed GhostLoader onto the system.

On macOS and Linux, the malware also presented deceptive password prompts, attempting to trick users into directly divulging their credentials. Once active, GhostLoader meticulously scoured the host for valuable assets, including macOS Keychain data, SSH keys, cryptocurrency wallet files, and cloud API tokens. All collected data was then exfiltrated to attacker-controlled servers.
Zscaler’s analysts emphasize that as AI agents become increasingly integrated into development pipelines, supply chain poisoning through counterfeit skills represents a growing threat. Organizations must rigorously vet all third-party plugins and enforce stringent behavioral monitoring for any tools interacting with privileged local resources.
Indicators of Compromise (IoCs):
- MD5 Hash: 1c267cab0a800a7b2d598bc1b112d5ce (“DeepSeek-Claw” named OpenClaw Skill)
- MD5 Hash: 2A5F619C966EF79F4586A433E3D5E7BA (MSI Installer)
- URL: hxxps://cloudcraftshub[.]com/api (MSI download URL)
- URL: hxxp://dropras[.]xyz/ (MSI download URL)
- URL: https://github.com/Needvainverter93/deepseek-claw (Malicious GitHub repository)
- MD5 Hash: CC1AF839A956C8E2BF8E721F5D3B7373 (Shellcode loader g2m.dll)
- MD5 Hash: 2C4B7C8B48E6B4E5F3E8854F2ABFEDB5 (Remcos RAT payload)
- IP:Port: 146[.]19.24[.]131:2404 (Remcos RAT C2 server)
- URL: hxxps://trackpipe[.]dev (GhostLoader C2 server)
What You Should Do
- Vet Third-Party AI Skills and Plugins: Implement a rigorous vetting process for all third-party AI skills, plugins, and libraries, especially those integrated into automated development workflows. Verify the authenticity and integrity of sources beyond basic reputation.
- Implement Behavioral Monitoring: Deploy advanced endpoint detection and response (EDR) solutions with strong behavioral monitoring capabilities for all developer workstations and AI agent environments. Focus on detecting unusual process activity, network connections, and attempts to modify security tools.
- Enforce Principle of Least Privilege: Ensure that AI agents and developer tools operate with the minimum necessary privileges. Limit their ability to execute arbitrary commands or interact with sensitive system resources.
- Segment Developer Environments: Isolate developer environments from production systems and critical infrastructure. Implement network segmentation to limit lateral movement in case of a compromise.
- Educate Developers on Supply Chain Risks: Conduct regular training for developers on the risks of supply chain attacks, especially concerning open-source components and AI frameworks. Emphasize the importance of verifying package authenticity.
- Monitor for IoCs: Integrate the provided Indicators of Compromise (IoCs) into your security information and event management (SIEM) and threat intelligence platforms to detect potential infections.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.