OpenClaw, the AI agent that can manage just about anything, is risky all by itself, but now fake installers for it are wreaking havoc. Users who searched Bing’s AI results for “OpenClaw Windows” were directed to a malicious GitHub repository that delivered information stealers and GhostSocks onto their machines.
The malicious repositories, available on GitHub between February 2 and 10, are yet another example of how quickly scammers co-opt buzzy new technologies and use their popularity to steal credentials and other sensitive data.
In addition to capitalizing on OpenClaw’s popularity, this scam had two other key factors contributing to its success. First, the malware was hosted on GitHub, which users trust. OpenClaw has tens of thousands of forks hosted on GitHub, so users see the fake installers and are more likely to believe it’s legitimate code. Plus, this one was connected to a GitHub organization called openclaw-installer, which made it all the more believable.
Second, the Bing AI search results lent credibility. Simply hosting the malware on GitHub was enough to poison the search results and propel the malicious repo to the top suggestion when someone searched “OpenClaw Windows.”
Huntress’ security researchers spotted the malware on February 9 after a user downloaded and ran the fake installer. “Analysis revealed that this user had searched for the term OpenClaw Windows through Bing and had the AI suggestion link directly to a newly-created malicious GitHub repository openclaw-installer,” Huntress threat analysts Jai Minton and Ryan Dowd said in a Wednesday blog.
The account and repository have since been removed.
There were clues, however, that the repo and the account were phony. The account joined GitHub in September 2025, and didn’t have any public actions until it opened an issue on the official OpenClaw repository promoting another one, openclaw-trading-assistant, under the organization molt-bot, which was later marked as spam. Both the repository and organizations have since been removed, and the researchers say it likely contained malware.
Plus, the fake installer’s user account linked to an X account that doesn’t exist, and used a picture from a different X account with about 200,000 followers.
Huntress analyzed the code inside OpenClaw-Installer, and it turned out to be largely legitimate, taken from the Cloudflare project moltworker. The malware was hidden in the releases section, under the name OpenClaw_x64.exe, inside a 7-Zip archive.
Upon execution, the file dropped multiple pieces of malware on the endpoint, including multiple loaders written in Rust and designed to run information stealers in memory.
One of the binaries, cloudvideo.exe, is a Vidar stealer that hoovers up Telegram and Steam user details, and retrieves dynamic C2 information.
The security researchers suggest that the miscreant behind the malicious repository used a never-before-seen packer called stealth packer. “A number of debugging messages in this sample also provide clues about the functionality of stealth packer, including invoking malware into memory, adding firewall rules, creating hidden ghost scheduled tasks, and potential AntiVM checks to look for mouse movement prior to running decrypted payloads,” the duo wrote.
Other malicious executables include GhostSocks, named serverdrive.exe. GhostSocks is a proxy malware, used by criminals to turn compromised machines into residential proxies that they use to route their malicious traffic and access compromised accounts using stolen credentials. Using a proxy machine allows the crims to bypass anti-fraud checks when accessing these accounts and also route future attacks through compromised systems.
This variant of GhostSocks uses TLS for connections. Plus, as Huntress’ team details in the write-up, it had two primary helper addresses and four pieces of embedded configuration data – so check out the security firm’s blog for these and several other indicators that could indicate your system has been compromised.
Also, while writing their blog, the team identified three other organizations and accounts used to distribute malware – likely infostealers – and one of these looked just like the original openclaw-installer. This dupe was added a day after the original repository was taken down. Huntress reported all of these to GitHub.
It’s also worth noting that there are plenty of other OpenClaw scams circulating, as well as major security risks with legitimate installations and its marketplace teeming with malware and leaky agent skills that expose sensitive credentials. All of this makes OpenClaw a prime target for info stealers – so be safe out there, run your AI agents in isolated environments, limit what data and systems they can access, and don’t assign them privileged credentials. ®
