Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader
Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader
Publish Date: 2026-05-10 05:15:00
Source Domain: www.cybersecurity-insiders.com
OpenClaw, previously known as Clawdbot, Moltbot, and Molty, is an open-source framework designed for autonomous AI agents that execute complex tasks requiring high-privilege local system access. While intended for automation, its modular “skill” architecture has been weaponized as a significant attack vector.
In March 2026, Zscaler ThreatLabz identified a campaign leveraging the framework to exploit the growing adoption of agentic AI workflows. The threat actor published a deceptive “DeepSeek-Claw” skill for the OpenClaw framework, embedding installation instructions designed to trick AI agents or unsuspecting developers into executing hidden malicious payloads under the guise of seemingly legitimate installation and configuration steps.
In this blog post, ThreatLabz examines how threat actors exploited the OpenClaw framework’s “skill” architecture, abused trusted binaries for execution, and deployed both the Remcos remote access trojan (RAT) and GhostLoader, a cross-platform information stealer, to enable persistent system access and data theft.
Key Takeaways
- In March 2026, ThreatLabz identified an attack chain that exploits AI agentic workflows by leveraging a deceptive OpenClaw framework skill to deliver payloads through manipulated installation instructions.
- The attack downloads and runs a remote Windows Installer (MSI) package that installs Remcos RAT. The attack manipulates autonomous AI agents into parsing the OpenClaw skill to silently execute the installer, bypassing traditional user interaction requirements.
- A legitimate, digitally signed GoToMeeting executable is abused to sideload a shellcode loader, helping the execution blend in with trusted processes and evade signature-based defenses.
- The in-memory loader dynamically patches Event Tracing for Windows (ETW) and the Antimalware Scan Interface (AMSI), and utilizes the Tiny Encryption Algorithm (TEA) in CBC mode to decrypt and execute the final Remcos RAT…
