hightower6eu
hightower6eu is a threat actor/publisher identified in reporting on a large-scale malware distribution campaign abusing the OpenClaw ecosystem and its public marketplace, ClawHub. Acronis TRU attributed 334 malicious skills to this account, representing 58% of 575 malicious skills identified across 13 developer accounts; separate reporting described the account as having published over 300 malicious skills. The skills were disguised as legitimate utilities, including finance tracking, crypto analytics, social media trend tools, and examples such as a YouTube transcript summarizer and a Yahoo Finance-themed skill. The activity relied on social engineering rather than exploitation of a software vulnerability, typically instructing users to download password-protected archives, execute encoded commands, run external binaries, or paste terminal commands from untrusted sources. Reported payloads associated with these ClawHub/OpenClaw skills targeted both Windows and macOS. For Windows, researchers observed trojanized payloads including VMProtect-packed malware, a second payload that decrypted strings with a 30-byte XOR key, dynamically resolved NT APIs, injected into explorer.exe, established AES-encrypted HTTPS command-and-control to velvet-parrot[.]com:443, downloaded a cryptominer disguised as svchost.exe, and maintained persistence via scheduled tasks and Windows Defender exclusion paths. For macOS, researchers observed base64-encoded commands connecting to 91.92.242[.]30 and infection chains that silently downloaded and executed AMOS/Atomic Stealer, a macOS-focused infostealer. Reporting states the macOS payload harvested credentials, browser cookies, and cryptocurrency wallet data, exfiltrated data to a remote command-and-control server, and then deleted itself. Acronis TRU also reported indirect prompt injection embedded in ClawHub skill files, allowing OpenClaw agents to execute hidden malicious instructions on behalf of users. The content identifies hightower6eu as one of the two primary threat actors driving the malicious ClawHub/OpenClaw campaign, alongside sakaen736jih. No nation-state attribution is stated in the provided content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Observables
3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Primary actor in a malicious ClawHub/OpenClaw supply-chain-style campaign publishing trojanized AI skills disguised as legitimate tools to deliver trojans, cryptominers, and infostealers.
Operates a supply-chain style campaign against the OpenClaw (formerly Clawdbot) AI agent ecosystem by publishing large volumes of malicious “skills” to the ClawHub marketplace. The skills use social engineering to instruct users to download/execute external code, leading to malware installation (including Atomic Stealer/AMOS on macOS and a trojanized payload via password-protected ZIP on Windows).
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.