Follow
Summary
Bitdefender Labs reports that hostile OpenClaw Skills are being abused to fetch and run malware, with a clear focus on stealing crypto-wallet data and user credentials. Roughly 17% of reviewed Skills exhibited malicious intent, often by cloning common utilities and hiding execution behind obfuscated shell commands. Stagers are frequently parked on paste sites and served from a repeatedly used IP address. Observed end payloads include the macOS AMOS Stealer infostealer.
Investigation
Researchers reviewed a broad corpus of OpenClaw Skills and found recurring tradecraft: Base64-wrapped commands, remote script pulls from glot.io and GitHub across multiple repos, and reliance on a single IP for hosting malicious binaries. They mapped specific Skill paths and reconstructed the execution chain that ultimately downloads AMOS Stealer. Other samples delivered AuthTool.exe for Windows and credential-exfiltration backdoors masquerading as backup or recovery tools.
Mitigation
Treat OpenClaw Skills as untrusted software: validate any external download, avoid running Skills that ask for elevated rights or direct access to secrets, and require code review for community additions. Use endpoint protection that flags suspicious command execution and remote script retrieval. Keep private keys and API tokens in hardened, isolated stores rather than on user endpoints.
Response
When a malicious Skill is identified, isolate the system, stop spawned processes, and block the associated IP and domains. Perform forensics to locate and remove retrieved payloads, including AMOS Stealer. Reset exposed credentials—especially wallet keys and API secrets—and monitor for suspicious logins or unauthorized transactions.
"graph TB %% Class definitions classDef action fill:#99ccff classDef malware fill:#ff9999 classDef process fill:#ffcc66 classDef tool fill:#cccccc classDef external fill:#e0e0e0 %% Node definitions action_initial_access["<b>Action</b> – <b>T1204.002 User Execution: Malicious File</b><br/>Victim manually installs a malicious OpenClaw skill believing it is legitimate.<br/><b>Goal</b>: Gain initial foothold."] class action_initial_access action malware_malicious_skill["<b>Malware</b> – <b>Name</b>: Malicious OpenClaw skill<br/><b>Type</b>: Credentialu2011stealing utility<br/><b>Persistence</b>: Installed as host binary."] class malware_malicious_skill malware action_execution["<b>Action</b> – <b>T1059.004 Command and Scripting Interpreter: Unix Shell</b> & <b>T1059.003 Windows Command Shell</b><br/>Skill decodes Base64 commands and runs them via Bash or cmd.exe.<br/><b>Goal</b>: Execute attacker commands."] class action_execution action process_decode_base64["<b>Process</b> – Decodes Base64u2011encoded commands.<br/><b>Technique</b>: T1027.008 Obfuscated Files or Information: Stripped Payloads"] class process_decode_base64 process tool_bash["<b>Tool</b> – Bash shell (Unix)<br/><b>Purpose</b>: Execute decoded commands."] class tool_bash tool tool_cmd["<b>Tool</b> – cmd.exe (Windows)<br/><b>Purpose</b>: Execute decoded commands."] class tool_cmd tool action_defense_evasion["<b>Action</b> – <b>T1564.010 Hide Artifacts: Process Argument Spoofing</b> & <b>T1027.008 Obfuscated Files or Information: Stripped Payloads</b><br/>Commands are hidden using Base64 and processu2011argument spoofing."] class action_defense_evasion action action_remote_access["<b>Action</b> – <b>T1219 Remote Access Tools</b><br/>Skill contacts attackeru2011controlled IPs and fetches additional scripts/binaries using curl/WGET."] class action_remote_access action tool_curl["<b>Tool</b> – curl<br/><b>Purpose</b>: Download resources from remote servers."] class tool_curl tool tool_wget["<b>Tool</b> – WGET<br/><b>Purpose</b>: Download resources from remote servers."] class tool_wget tool action_credential_access["<b>Action</b> – <b>T1552.004 Unsecured Credentials: Private Keys</b><br/>Scans OpenClaw workspace for files containing private keys (e.g., *.mykey, SOLANA_KEYPAIR_PATH JSON) and reads them."] class action_credential_access action action_exfiltration["<b>Action</b> – <b>T1048.002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Nonu2011C2 Protocol</b><br/>Collected keys are Base64u2011encoded and sent to attackeru2011controlled HTTP endpoints."] class action_exfiltration action attacker_endpoint["<b>Attacker Endpoint</b> – HTTP server receiving exfiltrated data."] class attacker_endpoint external action_persistence["<b>Action</b> – <b>T1554 Compromise Host Software Binary</b><br/>Malicious skill installed as a host software binary that continuously runs, providing ongoing access."] class action_persistence action %% Connections action_initial_access –>|installs| malware_malicious_skill malware_malicious_skill –>|enables| action_execution action_execution –>|uses| process_decode_base64 process_decode_base64 –>|invokes| tool_bash process_decode_base64 –>|invokes| tool_cmd action_execution –>|leads to| action_defense_evasion action_defense_evasion –>|prepares| action_remote_access action_remote_access –>|uses| tool_curl action_remote_access –>|uses| tool_wget action_remote_access –>|leads to| action_credential_access action_credential_access –>|leads to| action_exfiltration action_exfiltration –>|sends data to| attacker_endpoint malware_malicious_skill –>|provides| action_persistence "
Attack Flow
Detections
Possible OpenClaw Private Keys Enumeration Attempt (via process_creation)
View
IOCs (DestinationIP) to detect: Helpful Skills or Hidden Payloads? Bitdefender Labs Dives Deep into the OpenClaw Malicious Skill Trap
View
IOCs (SourceIP) to detect: Helpful Skills or Hidden Payloads? Bitdefender Labs Dives Deep into the OpenClaw Malicious Skill Trap
View
Detect Malicious OpenClaw Skill Command Execution [Linux Process Creation]
View
Suspicious Execution of AuthTool.exe on Windows [Windows Process Creation]
View
Detect Base64 Decoding in OpenClaw Processes [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
The attacker has compromised a victim’s machine and installed the OpenClaw service (malicious backdoor). To avoid detection, the adversary stores its payload in a Base64‑encoded file (payload.b64). Using the legitimatebase64utility, OpenClaw decodes the file and pipes it directly to the interpreter (/bin/bash). Because the command line includes the literal stringbase64 -d, the Sigma rule should fire.-
Place the encoded payload on the target:
echo "ZWNobyAiTWFsaWNpb3VzIFBheWxvYWQi" > /opt/openclaw/payload.b64 -
Start the OpenClaw process that performs the decode (simulated here by directly invoking
openclawbinary)./usr/local/bin/openclaw -c "base64 -d /opt/openclaw/payload.b64 | /bin/bash" -
The decoded command (
echo "Malicious Payload") runs, demonstrating the intended malicious action.
-
-
Regression Test Script:
#!/usr/bin/env bash set -euo pipefail # 1. Setup: create a dummy OpenClaw binary (placeholder for real malware) OPENCLAW_PATH="/usr/local/bin/openclaw" if [[ ! -f "$OPENCLAW_PATH" ]]; then cat <<'EOF' > "$OPENCLAW_PATH" #!/usr/bin/env bash # Simple wrapper that executes the command passed via -c while [[ $# -gt 0 ]]; do case "$1" in -c) shift; eval "$1";; *) shift;; esac done EOF chmod +x "$OPENCLAW_PATH" fi # 2. Create a base64‑encoded payload PAYLOAD_FILE="/opt/openclaw/payload.b64" mkdir -p "$(dirname "$PAYLOAD_FILE")" echo "ZWNobyAiTWFsaWNpb3VzIFBheWxvYWQi" > "$PAYLOAD_FILE" # 3. Execute OpenClaw with the decode command (this should trigger the rule) "$OPENCLAW_PATH" -c "base64 -d $PAYLOAD_FILE | /bin/bash" # 4. Output marker for manual verification echo "[+] OpenClaw decode execution completed." -
Cleanup Commands:
#!/usr/bin/env bash set -euo pipefail # Remove dummy OpenClaw binary sudo rm -f /usr/local/bin/openclaw # Remove payload file and directories sudo rm -rf /opt/openclaw # Remove any audit rules added for the test (optional – restore to original state) sudo auditctl -D echo "[+] Cleanup finished."