Fake OpenClaw Installers Deliver Information Stealers

Huntress security researchers say fake OpenClaw installers hosted on GitHub from Feb. 2–10 delivered information-stealing malware and proxy tools after Bing AI search suggestions directed users to malicious repositories. The malicious OpenClaw_x64.exe dropped Rust loaders, a Vidar stealer (cloudvideo.exe) and a GhostSocks proxy, while researchers warn of a new "stealth packer" and publish IoCs for detection and mitigation.
Key Points
- 1Deliver malware: fake OpenClaw GitHub installers delivered Vidar stealer and GhostSocks proxy between Feb 2–10.
- 2Exploit trust: attackers used GitHub hosting and Bing AI suggestions to legitimize malicious repositories.
- 3Require mitigation: practitioners should isolate agents, restrict credentials, and use Huntress IoCs to hunt compromises.
Scoring Rationale
Strong, timely vendor analysis with actionable IoCs, but impact is concentrated within OpenClaw agent ecosystem.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
