Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader
In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.
AI Analysis
Technical Summary
This threat involves a malicious skill named "DeepSeek-Claw" weaponizing the OpenClaw AI agent framework to distribute two malware families: Remcos RAT on Windows and GhostLoader on macOS/Linux. The Windows infection chain uses a signed GoToMeeting MSI sideloading a malicious DLL that patches ETW and AMSI to evade detection, decrypts Remcos RAT with TEA encryption, and enables remote access with capabilities such as keylogging and cookie theft. The macOS/Linux path uses obfuscated Node.js scripts to prompt for fake sudo credentials, harvesting sensitive data including SSH keys, cryptocurrency wallets, and cloud API tokens. The campaign exploits trust in AI agent frameworks and open-source skills to trick developers and AI workflows into executing malicious payloads. Indicators include multiple malicious domains, URLs, and file hashes. There is no known exploit in the wild beyond this campaign, and no vendor advisory or patch is currently available.
Potential Impact
The impact includes remote access and control of infected Windows systems via Remcos RAT, enabling data theft such as keylogging and cookie stealing. On macOS and Linux, GhostLoader harvests credentials and sensitive information including SSH keys, cryptocurrency wallets, and cloud API tokens, potentially leading to further compromise and data exfiltration. The campaign exploits AI agent frameworks and developer trust, representing a novel attack vector that could facilitate widespread compromise if the malicious skill is widely adopted.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until official guidance is available, avoid installing or executing untrusted OpenClaw skills, especially those named or related to "DeepSeek-Claw." Monitor for indicators of compromise such as connections to the listed malicious domains and hashes. Employ endpoint detection solutions capable of detecting DLL sideloading, ETW and AMSI patching, and suspicious PowerShell activity. Exercise caution with AI agent frameworks and open-source skills, validating their provenance before use.
Indicators of Compromise
- domain: dropras.xyz
- domain: trackpipe.dev
- hash: 1c267cab0a800a7b2d598bc1b112d5ce
- hash: 2a5f619c966ef79f4586a433e3d5e7ba
- hash: 2c4b7c8b48e6b4e5f3e8854f2abfedb5
- hash: 82536825e700f4c863238a90dd314687
- hash: cc1af839a956c8e2bf8e721f5d3b7373
- hash: 470c3803bd5a4770eb5470a84a831f187f591c64
- hash: 0d3ca4872e757fa406c10aa6893e831c2aaadce0687537d14fdce1702517b2d0
- url: http://dropras.xyz/
- url: https://cloudcraftshub.com/api
- url: https://trackpipe.dev
- domain: cloudcraftshub.com
Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader
Description
In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a malicious skill named "DeepSeek-Claw" weaponizing the OpenClaw AI agent framework to distribute two malware families: Remcos RAT on Windows and GhostLoader on macOS/Linux. The Windows infection chain uses a signed GoToMeeting MSI sideloading a malicious DLL that patches ETW and AMSI to evade detection, decrypts Remcos RAT with TEA encryption, and enables remote access with capabilities such as keylogging and cookie theft. The macOS/Linux path uses obfuscated Node.js scripts to prompt for fake sudo credentials, harvesting sensitive data including SSH keys, cryptocurrency wallets, and cloud API tokens. The campaign exploits trust in AI agent frameworks and open-source skills to trick developers and AI workflows into executing malicious payloads. Indicators include multiple malicious domains, URLs, and file hashes. There is no known exploit in the wild beyond this campaign, and no vendor advisory or patch is currently available.
Potential Impact
The impact includes remote access and control of infected Windows systems via Remcos RAT, enabling data theft such as keylogging and cookie stealing. On macOS and Linux, GhostLoader harvests credentials and sensitive information including SSH keys, cryptocurrency wallets, and cloud API tokens, potentially leading to further compromise and data exfiltration. The campaign exploits AI agent frameworks and developer trust, representing a novel attack vector that could facilitate widespread compromise if the malicious skill is widely adopted.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until official guidance is available, avoid installing or executing untrusted OpenClaw skills, especially those named or related to "DeepSeek-Claw." Monitor for indicators of compromise such as connections to the listed malicious domains and hashes. Employ endpoint detection solutions capable of detecting DLL sideloading, ETW and AMSI patching, and suspicious PowerShell activity. Exercise caution with AI agent frameworks and open-source skills, validating their provenance before use.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader"]
- Adversary
- null
- Pulse Id
- 69fa3aacdd4e111bac9bad11
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaindropras.xyz | — | |
domaintrackpipe.dev | — | |
domaincloudcraftshub.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash1c267cab0a800a7b2d598bc1b112d5ce | — | |
hash2a5f619c966ef79f4586a433e3d5e7ba | — | |
hash2c4b7c8b48e6b4e5f3e8854f2abfedb5 | — | |
hash82536825e700f4c863238a90dd314687 | — | |
hashcc1af839a956c8e2bf8e721f5d3b7373 | — | |
hash470c3803bd5a4770eb5470a84a831f187f591c64 | — | |
hash0d3ca4872e757fa406c10aa6893e831c2aaadce0687537d14fdce1702517b2d0 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://dropras.xyz/ | — | |
urlhttps://cloudcraftshub.com/api | — | |
urlhttps://trackpipe.dev | — |
Threat ID: 69fb0f2dcbff5d8610c9a2dd
Added to database: 5/6/2026, 9:51:41 AM
Last enriched: 5/6/2026, 10:06:36 AM
Last updated: 5/7/2026, 7:34:26 AM
Views: 61
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.