Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A sophisticated Rust-based infostealer is being spread through a fake OpenClaw installer. The initial dropper, tracked as Hologram, applies multiple sandbox-evasion techniques before deploying a six-component modular implant. The operation also abuses legitimate platforms such as Azure DevOps, Telegram, and Hookdeck for command-and-control and dead-drop delivery. Its primary objective is to steal credentials from cryptocurrency wallet and password manager browser extensions.
Investigation
Netskope Threat Labs examined two campaign waves, Hologram and Pathfinder, and mapped the full infection chain from the fraudulent installer to the final credential-theft modules. Their analysis uncovered anti-VM checks, a mouse-movement requirement, a PowerShell runner that disables Microsoft Defender, and several persistence methods, including Run keys, a Winlogon userinit hijack, scheduled tasks, and COM hijacking. Researchers also observed frequent infrastructure changes across domains, Telegram channels, and Hookdeck webhooks.
Mitigation
Defenders should block downloads of the fake OpenClaw installer and watch for the large 130 MB Rust PE associated with the campaign. Security teams should also detect creation of the OneDriveSync.lnk shortcut in the Startup folder and monitor registry modifications involving Winlogon userinit. Outbound access to Azure DevOps, Telegram API, and Hookdeck endpoints should be tightly controlled on non-developer systems. Firewall rules should also prevent inbound connections on ports 56001 through 57002.
Response
If the threat is detected, isolate the affected endpoint immediately, collect the dropped binaries and related files, and perform forensic analysis of registry changes and scheduled task artifacts. Any exposed Azure DevOps tokens should be revoked, and compromised Telegram bot credentials should be rotated. Detection content should then be updated to include the observed mutex, filenames, and network indicators. Relevant stakeholders should be informed, and reporting to CERT or the impacted service providers should be considered.
"graph TB %% Class definitions classDef technique fill:#ffcc99 classDef action fill:#99ccff classDef tool fill:#cccccc classDef file fill:#ffe699 classDef process fill:#ff9999 classDef shortcut fill:#c2f0c2 classDef registry fill:#c2d6f0 classDef scheduled fill:#f0c2c2 classDef c2 fill:#d9c2f0 %% Node definitions file_openclaw["<b>File</b>: OpenClaw_x64.exe<br/><b>Type</b>: Fake installer"] class file_openclaw file initial_access["<b>Technique</b> – <b>T1204.002 User Execution: Malicious File</b><br/><b>Description</b>: Victim runs malicious installer from openclawu2011installer.com"] class initial_access technique defense_evasion_vm["<b>Technique</b> – <b>T1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks</b><br/><b>Description</b>: Dropper checks for VM, hardware fingerprint and waits for mouse movement"] class defense_evasion_vm technique defense_evasion_firewall["<b>Technique</b> – <b>T1562.004 Impair Defenses: Disable or Modify Firewall</b><br/><b>Description</b>: PowerShell disables Windows Defender and opens inbound ports 56001u201157002"] class defense_evasion_firewall technique tool_powershell["<b>Tool</b>: PowerShell<br/><b>Description</b>: Executes scripts for disabling security components"] class tool_powershell tool execution_reflective["<b>Technique</b> – <b>T1620 Reflective Code Loading</b><br/><b>Description</b>: Decrypted stageu20112 binaries executed in memory via memexec"] class execution_reflective technique execution_injection["<b>Technique</b> – <b>T1055.002 Process Injection: Portable Executable Injection</b><br/><b>Description</b>: svc_service.exe injects payloads using direct NT syscalls"] class execution_injection technique process_svc["<b>Process</b>: svc_service.exe<br/><b>Description</b>: Hosts CLR and performs injection"] class process_svc process persistence_shortcut["<b>Technique</b> – <b>T1547.009 Shortcut Modification</b><br/><b>Description</b>: LNK shortcut placed in Startup folder"] class persistence_shortcut technique file_shortcut["<b>File</b>: OneDriveSync.lnk<br/><b>Location</b>: Startup folder"] class file_shortcut shortcut persistence_hijack["<b>Technique</b> – <b>T1574 Hijack Execution Flow</b><br/><b>Description</b>: Registry changes to WinLogon Userinit, COM hijacking, scheduled task creation"] class persistence_hijack technique node_registry["<b>Registry</b>: WinLogon Userinit modification<br/><b>Action</b>: Alters execution order"] class node_registry registry node_task["<b>Scheduled Task</b>: Logon task<br/><b>Action</b>: Executes payload on user logon"] class node_task scheduled c2_dead_drop["<b>Technique</b> – <b>T1102.001 Web Service: Dead Drop Resolver</b><br/><b>Description</b>: Retrieves C2 domain from Telegram channel description"] class c2_dead_drop technique c2_telegram["<b>C2 Channel</b>: Telegram description"] class c2_telegram c2 c2_bidirectional["<b>Technique</b> – <b>T1102.002 Web Service: Bidirectional Communication</b><br/><b>Description</b>: Communicates via Hookdeck webhook relay and Telegram Bot API"] class c2_bidirectional technique tool_hookdeck["<b>Tool</b>: Hookdeck webhook relay<br/><b>Description</b>: Relays HTTP requests"] class tool_hookdeck tool tool_telegram_bot["<b>Tool</b>: Telegram Bot API<br/><b>Description</b>: Provides bidirectional messaging"] class tool_telegram_bot tool %% Connections file_openclaw –>|triggers| initial_access initial_access –>|leads_to| defense_evasion_vm defense_evasion_vm –>|leads_to| defense_evasion_firewall defense_evasion_firewall –>|executed_by| tool_powershell defense_evasion_firewall –>|leads_to| execution_reflective execution_reflective –>|loads_into| process_svc process_svc –>|performs| execution_injection execution_injection –>|creates| file_shortcut file_shortcut –>|enables| persistence_shortcut persistence_shortcut –>|supports| persistence_hijack persistence_hijack –>|modifies| node_registry persistence_hijack –>|creates| node_task persistence_hijack –>|obtains| c2_dead_drop c2_dead_drop –>|source| c2_telegram c2_dead_drop –>|uses| c2_bidirectional c2_bidirectional –>|relays_via| tool_hookdeck c2_bidirectional –>|communicates_via| tool_telegram_bot "
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Disable Windows Defender Realtime Monitoring and Other Preferences Changes (via cmdline)
View
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
Suspicious Files in Public User Profile (via file_event)
View
Possible Telegram Abuse As Command And Control Channel (via dns_query)
View
IOCs (HashSha256) to detect: OpenClaw’s Hologram: Fake Installer Ships Rust Infostealer
View
IOCs (SourceIP) to detect: OpenClaw’s Hologram: Fake Installer Ships Rust Infostealer
View
IOCs (DestinationIP) to detect: OpenClaw’s Hologram: Fake Installer Ships Rust Infostealer
View
Detect Obfuscated PowerShell Payload and Firewall Manipulations [Windows Powershell]
View
Detection of Malicious OpenClaw Installer Delivering Modular Framework [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An adversary obtains the malicious OpenClaw fake installer (
OpenClaw_x64.exe).
The user, believing it to be a legitimate wallet tool, executes the installer (T1204).
The installer immediately launches a single command line that spawns the six malicious payload binaries in one go, allowing it to bypass sandbox heuristics and establish a modular implant framework (T1027.009, T1608.001, T1546.016, T1127).The exact command line expected by the rule is:
OpenClaw_x64.exe svc_service.exe virtnetwork.exe onedrive_sync.exe audioeq.exe WinHealhCare.exe OneSync.exe -
Regression Test Script:
# ------------------------------------------------- # Simulation script – triggers the OpenClaw detection # ------------------------------------------------- $installerPath = "C:TempOpenClaw_x64.exe" # Ensure the dummy installer exists (create a harmless placeholder) if (-not (Test-Path $installerPath)) { New-Item -ItemType File -Path $installerPath -Force | Out-Null } # Build the argument list containing all six payload names $payloads = @( "svc_service.exe", "virtnetwork.exe", "onedrive_sync.exe", "audioeq.exe", "WinHealhCare.exe", "OneSync.exe" ) $argString = $payloads -join " " # Launch the installer with the full malicious command line Write-Host "Launching malicious installer..." Start-Process -FilePath $installerPath -ArgumentList $argString -NoNewWindow # Wait a few seconds to let Sysmon / Security log the event Start-Sleep -Seconds 5 Write-Host "Simulation complete. Verify SIEM for alert." -
Cleanup Commands:
# ------------------------------------------------- # Cleanup script – removes artifacts created for the test # ------------------------------------------------- $installerPath = "C:TempOpenClaw_x64.exe" if (Test-Path $installerPath) { Remove-Item -Path $installerPath -Force } # Optionally terminate any lingering dummy payload processes (they are just placeholders) Get-Process -Name "svc_service","virtnetwork","onedrive_sync","audioeq","WinHealhCare","OneSync" -ErrorAction SilentlyContinue | Stop-Process -Force Write-Host "Cleanup finished."