Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

SOC Prime Team

Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Threat actors published a malicious OpenClaw skill named DeepSeek-Claw that deceives AI agents or developers into downloading a weaponized MSI installer. Once executed, the installer drops a signed GoToMeeting binary that sideloads a malicious DLL, which then loads the Remcos RAT. A separate infection path delivers a heavily obfuscated Node.js payload that installs the cross-platform GhostLoader stealer. The campaign highlights how compromised AI workflow plugins can be used as a supply-chain vector for persistent remote access and data theft.

Investigation

Zscaler ThreatLabz followed the full infection chain from the malicious skill markdown file to the MSI download, the DLL sideloading of G2M.exe, and the in-memory loader responsible for patching ETW and AMSI. Researchers recovered the Remcos configuration, including its command-and-control address and mutex, and also identified GhostLoader’s use of npm scripts and Bash-based installers for macOS and Linux environments. The report further documents multiple evasion techniques, including API obfuscation, TEA-based decryption, and sandbox-awareness checks.

Mitigation

Defenders should block access to the malicious MSI and related URLs, monitor for unsigned DLLs loaded by legitimate GoToMeeting processes, and enforce strict validation of OpenClaw skill content before use. Endpoint protections should also detect ETW and AMSI patching attempts and restrict execution of PowerShell or msiexec from non-administrative contexts. Organizations should verify code signatures for all binaries and apply least-privilege controls to AI agent and plugin integrations.

Response

If this activity is detected, isolate the affected endpoint immediately, terminate any Remcos or GhostLoader processes, and remove the malicious DLL and MSI artifacts from the system. Collect memory dumps and preserve the Remcos configuration for forensic analysis, then reset compromised credentials and rotate any affected certificates or secrets. Security teams should also update threat intelligence feeds with the identified indicators and strengthen supply-chain controls around AI plugin usage.

"graph TB %% Class definitions classDef technique fill:#cfe2f3 classDef tool fill:#e2efda classDef malware fill:#f9cb9c classDef process fill:#ffd966 %% Technique nodes tech_user_exec_copypaste["Technique – T1204.004 User Execution: Malicious Copy and Paste Description: Tricking users or AI agents into executing a copied PowerShell oneu2011liner."] class tech_user_exec_copypaste technique tech_user_exec_link["Technique – T1204.001 User Execution: Malicious Link Description: Victim clicks a malicious download link that starts the same chain."] class tech_user_exec_link technique tech_msiexec["Technique – T1218.007 System Binary Proxy Execution: Msiexec Description: Use of msiexec to silently download and install a remote MSI package."] class tech_msiexec technique tech_dll_hijack["Technique – T1574.001 Hijack Execution Flow: DLL Sideu2011Loading Description: Loading a malicious DLL by placing it alongside a legitimate executable."] class tech_dll_hijack technique tech_active_scanning["Technique – T1595 Active Scanning Description: Patching EtwEventWrite and AmsiScanBuffer to evade telemetry and antiu2011malware scanning."] class tech_active_scanning technique tech_virt_user_check["Technique – T1497.002 Virtualization Evasion: User Activity Checks Description: Detects useru2011driven activity to determine whether running in a sandbox."] class tech_virt_user_check technique tech_virt_time_check["Technique – T1497.003 Virtualization Evasion: Time Checks Description: Introduces latency and timeu2011based delays to thwart analysis."] class tech_virt_time_check technique tech_obfusc_embedded["Technique – T1027.009 Obfuscated Files or Information: Embedded Payloads Description: Final RAT payload encrypted with TEAu2011CBC and decrypted only in memory."] class tech_obfusc_embedded technique tech_keylogging["Technique – T1056.001 Input Capture: Keylogging Description: Captures keystrokes from the compromised system."] class tech_keylogging technique tech_clipboard["Technique – T1115 Clipboard Data Description: Reads clipboard contents for exfiltration."] class tech_clipboard technique tech_steal_cookie["Technique – T1539 Steal Web Session Cookie Description: Extracts active browser cookies to bypass MFA."] class tech_steal_cookie technique tech_alt_auth["Technique – T1550.004 Use Alternate Authentication Material: Web Session Cookie Description: Reuses harvested cookies as valid authentication tokens."] class tech_alt_auth technique tech_forge_cookie["Technique – T1606.001 Forge Web Credentials: Web Cookies Description: Crafts forged web credentials based on stolen cookies."] class tech_forge_cookie technique tech_private_keys["Technique – T1552.004 Credentials from Password Stores: Private Keys Description: Harvests SSH private keys from the filesystem."] class tech_private_keys technique tech_cred_files["Technique – T1552.001 Credentials in Files Description: Searches for files containing plainu2011text credentials."] class tech_cred_files technique tech_browser_creds["Technique – T1555.003 Credentials from Web Browsers Description: Dumps saved passwords from installed browsers."] class tech_browser_creds technique tech_code_repo["Technique – T1213.003 Data from Information Repositories: Code Repositories Description: Collects cryptocurrency wallets and API tokens from source code files."] class tech_code_repo technique tech_trusted_dev_util["Technique – T1127 Trusted Developer Utilities Proxy Execution Description: Executes malicious payload via npm lifecycle scripts and Node.js on macOS/Linux."] class tech_trusted_dev_util technique tech_input_injection["Technique – T1674 Input Injection Description: Markdown in the skill injects commands that AI agents parse and run."] class tech_input_injection technique %% Tool / Malware / Process nodes process_powershell["Process – PowerShell oneu2011liner execution initiated by user copyu2011paste."] class process_powershell process tool_msiexec["Tool – Msiexec Purpose: Silent installation of the malicious MSI."] class tool_msiexec tool tool_g2m_exe["Tool – GoToMeeting executable (legitimate signed binary)."] class tool_g2m_exe tool tool_g2m_dll["Tool – Malicious g2m.dll loaded via sideu2011loading."] class tool_g2m_dll tool malware_remcos["Malware – Remcos RAT Capabilities: Remote access, keylogging, data exfiltration."] class malware_remcos malware tool_npm["Tool – npm lifecycle scripts"] class tool_npm tool tool_nodejs["Tool – Node.js runtime"] class tool_nodejs tool malware_ghostloader["Malware – GhostLoader Target: macOS/Linux"] class malware_ghostloader malware %% Connections u2013 Main execution path tech_user_exec_copypaste –>|triggers| process_powershell process_powershell –>|uses| tech_msiexec tech_msiexec –>|executes| tool_msiexec tool_msiexec –>|installs MSI that drops| tool_g2m_exe tool_msiexec –>|installs MSI that drops| tool_g2m_dll tool_g2m_exe –>|facilitates| tech_dll_hijack tool_g2m_dll –>|loaded by| tech_dll_hijack tech_dll_hijack –>|leads to| tech_active_scanning tech_active_scanning –>|combined with| tech_virt_user_check tech_active_scanning –>|combined with| tech_virt_time_check tech_virt_user_check –>|enables| tech_virt_time_check tech_dll_hijack –>|delivers| tech_obfusc_embedded tech_obfusc_embedded –>|decrypts to| malware_remcos malware_remcos –>|performs| tech_keylogging malware_remcos –>|performs| tech_clipboard malware_remcos –>|exfiltrates| tech_steal_cookie tech_steal_cookie –>|enables| tech_alt_auth tech_alt_auth –>|enables| tech_forge_cookie malware_remcos –>|harvests| tech_private_keys malware_remcos –>|harvests| tech_cred_files malware_remcos –>|harvests| tech_browser_creds malware_remcos –>|collects from| tech_code_repo %% Alternative delivery path tool_npm –>|runs| tool_nodejs tool_nodejs –>|drops| malware_ghostloader malware_ghostloader –>|uses| tech_trusted_dev_util %% Input injection path tech_input_injection –>|initiates| tech_user_exec_copypaste %% Malicious link path tech_user_exec_link –>|triggers| process_powershell "

Attack Flow

Attack Narrative & Commands:
1. Preparation: The attacker obtains a malicious DLL payload (e.g., a RAT) and renames it g2m.dll to mimic a legitimate library.
2. Placement: The DLL is copied into the same directory as the legitimate GoToMeeting binary (C:Program FilesGoToMeeting). Because Windows follows the DLL search order (application directory first), G2M.exe will load g2m.dll instead of the expected library.
3. Execution: The attacker launches G2M.exe. During process creation, Sysmon records Image = *G2M.exe. Shortly after, Sysmon logs ImageLoaded = *g2m.dll.
This exact pattern satisfies the Sigma rule’s condition (selection1 and selection2), causing an alert.

Regression Test Script: (PowerShell – self‑contained)

# -------------------------------------------------
# Regression script for DLL sideloading via GoToMeeting
# -------------------------------------------------
$g2mPath = "C:Program FilesGoToMeeting"
$exe    = Join-Path $g2mPath "G2M.exe"
$malDll = Join-Path $g2mPath "g2m.dll"

# 1. Verify the legitimate executable exists
if (-not (Test-Path $exe)) {
    Write-Error "G2M.exe not found at $exe. Install GoToMeeting first."
    exit 1
}

# 2. Deploy a benign placeholder DLL (simulating the malicious payload)
#    Here we copy any existing system DLL just to have a file with the correct name.
$sourceDll = "$env:SystemRootSystem32kernel32.dll"
Copy-Item -Path $sourceDll -Destination $malDll -Force

Write-Host "[+] Placed malicious DLL as $malDll"

# 3. Launch the signed binary – this triggers the sideload
Write-Host "[+] Launching G2M.exe to trigger DLL load..."
$proc = Start-Process -FilePath $exe -PassThru

# 4. Wait a short period for the ImageLoaded event to be logged
Start-Sleep -Seconds 5

# 5. Clean up – terminate the process and remove the DLL
if ($proc.HasExited -eq $false) {
    Stop-Process -Id $proc.Id -Force
    Write-Host "[+] Terminated G2M.exe (PID $($proc.Id))"
}

Remove-Item -Path $malDll -Force
Write-Host "[+] Cleaned up malicious DLL"
# -------------------------------------------------

Cleanup Commands: (If the attacker only wants to remove artifacts)

# Remove the malicious DLL if it still exists
$dllPath = "C:Program FilesGoToMeetingg2m.dll"
if (Test-Path $dllPath) {
    Remove-Item -Path $dllPath -Force
    Write-Host "Removed $dllPath"
}

# Optionally kill any lingering G2M.exe processes
Get-Process -Name "G2M" -ErrorAction SilentlyContinue |
    Stop-Process -Force
Write-Host "Killed any remaining G2M.exe processes"

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free