Skip to content
.ca
sign in
6 minhigh

OpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz

Threat actors are exploiting the OpenClaw AI agent framework by publishing a deceptive 'DeepSeek-Claw' skill that distributes malware. The campaign utilizes malicious installation instructions to deploy Remcos RAT on Windows via DLL sideloading and GhostLoader on macOS/Linux via obfuscated Node.js scripts, enabling persistent access and data exfiltration.

Sens:ImmediateConf:highAnalyzed:2026-05-05Google

Authors: MITESH WANI

ActorsRemcos RATGhostLoaderGhostClaw
DLL SideloadingAI AgentsOpenClawGhostLoaderRemcos RAT

Source:Zscaler ThreatLabz

IOCs · 6
  • domain
    cloudcraftshub[.]comPayload hosting domain
  • filename
    SKILL.mdDeceptive OpenClaw skill instruction file containing malicious execution commands.
  • filename
    g2m.dllMalicious DLL sideloaded by the legitimate GoToMeeting executable to load Remcos RAT.
  • ip
    146[.]19[.]24[.]131Command and Control (C2) server IP address for Remcos RAT.
  • mutex
    Rmc-11YWBZMutex created by the Remcos RAT payload.
  • url
    hxxps://cloudcraftshub[.]com/apiRemote URL hosting the malicious MSI package containing Remcos RAT.

Detection / HunterGoogle

What Happened

Cybercriminals have created a fake 'skill' for an artificial intelligence automation tool called OpenClaw, disguising it as a legitimate integration for DeepSeek. Developers and organizations using OpenClaw AI agents on Windows, Mac, and Linux systems are primarily affected by this campaign. If installed, the fake skill secretly downloads malicious software that gives attackers remote control over Windows computers or steals passwords, cryptocurrency wallets, and sensitive developer keys on Mac and Linux. Organizations should carefully review and monitor any third-party plugins or skills before allowing them to run, and block the known malicious web addresses associated with this attack.

Key Takeaways

  • Threat actors are weaponizing AI agentic workflows by publishing a deceptive 'DeepSeek-Claw' skill for the OpenClaw framework.
  • The Windows attack chain uses a malicious MSI to sideload a DLL via a legitimate GoToMeeting executable, deploying Remcos RAT.
  • The shellcode loader employs extensive evasion techniques, including ETW/AMSI patching, anti-debugging, and sandbox detection.
  • Cross-platform environments (macOS/Linux) are targeted with GhostLoader via malicious npm scripts and bash installers to steal credentials and tokens.

Affected Systems

  • Windows
  • macOS
  • Linux
  • OpenClaw AI Agents
  • Node.js environments

Attack Chain

The attack begins when a user or AI agent downloads a deceptive 'DeepSeek-Claw' skill for the OpenClaw framework. The skill's SKILL.md file contains malicious instructions that, on Windows, use msiexec to download an MSI package containing a legitimate GoToMeeting executable and a malicious DLL. The executable sideloads the DLL, which patches ETW and AMSI, performs anti-analysis checks, and decrypts the Remcos RAT payload in memory. On macOS/Linux, the instructions execute a bash script that triggers an obfuscated Node.js payload to install GhostLoader, which uses spoofed sudo prompts to steal credentials and exfiltrate data.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules but details behavioral indicators and configuration artifacts for Remcos RAT and GhostLoader.

Detection Engineering Assessment

EDR Visibility: Medium — The malware actively patches ETW and AMSI in memory, which may blind some EDR telemetry. However, process creation (msiexec downloading remote payloads) and DLL sideloading by a signed binary should still be visible. Network Visibility: Medium — Initial MSI download is over HTTPS, and C2 communication uses TLS over TCP, encrypting the payload. However, the connection to an unusual port (2404) and known malicious IPs can be detected. Detection Difficulty: Moderate — The use of legitimate binaries for sideloading and in-memory patching of telemetry tools increases difficulty, but the initial msiexec command and subsequent network connections are highly anomalous.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon 1)
  • Network Connections (Sysmon 3)
  • Image Load (Sysmon 7)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for msiexec.exe executing with the /q and /i flags pointing to an external HTTP/HTTPS URL, indicating potential remote payload execution.Process Creation (Event ID 4688 / Sysmon 1)ExecutionLow
Identify instances of G2M.exe (GoToMeeting) loading an unsigned or unexpected g2m.dll from a non-standard directory, indicating DLL sideloading.Image Load (Sysmon 7)Defense EvasionLow
Monitor for unexpected outbound network connections over non-standard ports (e.g., 2404) originating from legitimate processes like G2M.exe.Network Connections (Sysmon 3)Command and ControlMedium

Control Gaps

  • AI Agent execution context lacking strict behavioral controls
  • EDR reliance on ETW/AMSI without memory integrity checks

Key Behavioral Indicators

  • msiexec downloading from external URLs
  • G2M.exe sideloading g2m.dll
  • Spoofed sudo prompts in macOS/Linux terminals
  • Creation of mutex Rmc-11YWBZ

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block the identified C2 IP (146.19.24.131) and payload domain (cloudcraftshub.com).
  • Search for and isolate any endpoints that have executed the DeepSeek-Claw OpenClaw skill.

Infrastructure Hardening

  • Implement strict application control to prevent msiexec from downloading and executing remote packages.
  • Restrict outbound network traffic to standard ports and block known malicious IPs.

User Protection

  • Deploy EDR solutions capable of detecting in-memory patching and DLL sideloading.
  • Enforce MFA and monitor for anomalous session cookie usage.

Security Awareness

  • Educate developers on the risks of executing third-party AI agent skills and npm scripts.
  • Train macOS/Linux users to be cautious of unexpected terminal sudo prompts.

MITRE ATT&CK Mapping

  • T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
  • T1204.002 - User Execution: Malicious File
  • T1059.003 - Command and Scripting Interpreter: Windows Command Shell
  • T1218.007 - System Binary Proxy Execution: Msiexec
  • T1059.004 - Command and Scripting Interpreter: Unix Shell
  • T1059.007 - Command and Scripting Interpreter: JavaScript
  • T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • T1562.001 - Impair Defenses: Disable or Modify Tools
  • T1497.001 - Virtualization/Sandbox Evasion: System Checks
  • T1027 - Obfuscated Files or Information
  • T1056.002 - Input Capture: GUI Input Capture
  • T1555.001 - Credentials from Password Stores: Keychain
  • T1552.004 - Unsecured Credentials: Private Keys
  • T1005 - Data from Local System
  • T1539 - Steal Web Session Cookie
  • T1071.001 - Application Layer Protocol: Web Protocols

Additional IOCs

  • Ips:
    • 146[.]19[.]24[.]131 - Remcos C2 server
  • Domains:
    • cloudcraftshub[.]com - Payload hosting domain
  • Urls:
    • hxxps://cloudcraftshub[[.]]com/api - MSI download URL
    • tcp+tls://146[[.]]19[.]24[.]131:2404/ - Remcos C2 connection string
  • File Paths:
    • SKILL.md - Malicious OpenClaw skill instruction file
    • setup.js - Obfuscated Node.js payload for GhostLoader
    • install.sh - Bash installer for GhostLoader
  • Command Lines:
    • Purpose: Download and execute remote MSI package | Tools: cmd.exe, msiexec.exe | Stage: Execution | cmd /c start msiexec /q /i
  • Other:
    • Rmc-11YWBZ - Remcos Mutex

Related