The ClawHavoc campaign is a large-scale malware operation targeting the OpenClaw bot ecosystem, discovered through collaboration between an AI bot named Alex and security researcher Oren Yomtov. The campaign involves 341 malicious skills, with 335 originating from a single coordinated effort. The malware payload, Atomic Stealer (AMOS), is designed to stealthily exfiltrate sensitive data such as credentials and cryptocurrency wallet information by exploiting the trust users place in AI assistants. Attackers use typosquatting and supply chain attack techniques to infiltrate the ClawHub marketplace, a platform for distributing OpenClaw bot skills. The malware leverages multiple MITRE ATT&CK techniques including input capture (T1056.001), credential dumping (T1005), and command and control communications (T1071.001), indicating a sophisticated multi-stage attack chain. The campaign infrastructure includes several IP addresses and domains used for hosting malicious payloads and command servers. Although no active exploits have been reported in the wild, the campaign's scale and stealth capabilities pose a significant threat. The development of Clawdex, a scanning tool, aims to help users and bots detect these malicious skills pre-installation, addressing the supply chain risk. The campaign highlights the emerging risks in AI assistant ecosystems where malicious skills can bypass traditional security controls by masquerading as legitimate functionality.

For European organizations, the ClawHavoc campaign threatens the confidentiality and integrity of sensitive data, particularly personal information and cryptocurrency wallets. Organizations relying on OpenClaw bots or similar AI assistant platforms could face data breaches, financial theft, and reputational damage. The supply chain nature of the attack means that even well-secured environments could be compromised if malicious skills are inadvertently installed. The campaign could disrupt business operations by enabling attackers to execute commands remotely, exfiltrate data, or deploy additional malware. Financial institutions, fintech companies, and enterprises integrating AI assistants into customer service or internal workflows are especially at risk. The exploitation of user trust in AI assistants may lead to widespread compromise if users are not adequately trained or if security controls do not include skill vetting. Given the campaign’s use of advanced evasion techniques, detection and response may be challenging, increasing the potential impact duration and severity.

European organizations should implement a multi-layered defense strategy focusing on the AI assistant skill supply chain. First, deploy the Clawdex scanning tool or equivalent solutions to analyze and verify all OpenClaw bot skills before installation, ensuring no malicious code is present. Establish strict policies for skill approval, including code review and behavioral analysis, to prevent typosquatting and malicious skill injection. Educate users about the risks of installing unverified skills and the importance of verifying skill sources. Monitor network traffic for indicators of compromise such as connections to the listed IP addresses and domains (e.g., 91.92.242.30, clawdex.koi.security). Implement endpoint detection and response (EDR) solutions capable of identifying suspicious behaviors associated with Atomic Stealer, including credential dumping and unauthorized data exfiltration. Regularly update AI assistant platforms and underlying systems to patch vulnerabilities and reduce attack surface. Collaborate with vendors to enhance supply chain security and share threat intelligence related to ClawHavoc. Finally, conduct incident response drills simulating AI assistant compromise to prepare teams for rapid containment and remediation.