Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actorsExploits 2 CVEs

OpenClaw

Also known asclawdbotmoltbot

OpenClaw is an open-source, self-hosted autonomous AI agent framework, previously referred to as MoltBot and Clawdbot, built with Node.js and designed to run locally on user systems. It is described as capable of browsing the web, writing code, executing arbitrary shell commands, reading and writing host files, accessing internal network services, and integrating with messaging and calendar platforms. Its architecture includes a local gateway/WebSocket server and connected nodes that can expose capabilities such as shell execution and access to local resources.

The content shows OpenClaw appearing in multiple security incidents and malicious-use contexts in 2026. A compromised npm publishing token was used to publish Cline CLI v2.3.0 with a postinstall hook that silently ran "npm install -g openclaw@latest", causing unauthorized installation of OpenClaw on developer machines for roughly eight hours on February 17, 2026; reporting cited about 4,000 downloads during that window. The Cline maintainers stated the installation was unauthorized and unintended. Separate reporting states attackers have installed and operated OpenClaw via Claude to execute commands on victim systems, often alongside living-off-the-land techniques.

OpenClaw is also described as being exploited by multiple threat groups. One report says a China-linked automated cybercrime operation used a centralized backend called Paperclip and an agent-based workflow system known as OpenClaw to orchestrate large-scale exploitation of internet-facing assets, especially in fintech, Web3, and security sectors, using vulnerabilities including Log4Shell and 2025 RCEs. Another report states widespread exploitation of OpenClaw deployments followed shortly after its viral adoption, including abuse through exposed administrative interfaces, credential harvesting, malicious skills, and CVE-2026-25253.

A high-severity vulnerability chain in OpenClaw’s core architecture allowed a malicious website to connect to the localhost-bound gateway over WebSocket, brute-force gateway authentication because localhost attempts were not rate-limited or logged, and then gain administrative control of the agent. With authenticated access, an attacker could register as a trusted device, enumerate connected nodes, dump configuration and logs, exfiltrate data, and potentially execute shell commands on connected devices. The issue was fixed in OpenClaw version 2026.2.25 and later. Separate reporting on CVE-2026-25253 states it enabled remote code execution or account takeover scenarios involving token theft after a victim clicked a malicious link.

The ecosystem around OpenClaw is also described as risky. ClawHub, a public registry for OpenClaw skills, is reported to have hosted malicious skills disguised as legitimate utilities or productivity tools, including backdoors, credential stealers, and infostealers. Reporting cited more than 1,000 malicious skills in the marketplace in one case, and another source said 8-12% of audited skills were malicious. Threat-hunting guidance in the content recommends looking for process names such as openclaw, clawdbot, or moltbot; modifications under ~/.openclaw/skills/; OpenClaw spawning shells such as sh, bash, or zsh; reads of sensitive files such as ~/.aws/credentials; and outbound curl/wget activity to unfamiliar IPs.

Observed malicious outcomes associated with OpenClaw in the content include theft of configuration files, tokens, API keys, SSH keys, AWS credentials, Stripe tokens, PostgreSQL credentials, and other secrets; message interception; persistence via a background gateway daemon; and use as a high-privilege foothold on developer or administrative endpoints. One report mentions a Vidar variant exfiltrating configuration files, tokens, and API keys from an OpenClaw deployment. Another describes exposed or default administrative interfaces on port 18789 and misconfigurations such as binding to 0.0.0.0, missing authentication, and reverse-proxy header bypasses. The content also references failed installation attempts of OpenClaw on infrastructure used by an operator experimenting with Sliver and Metasploit, and describes OpenClaw as a Node.js-based botnet framework with a local API endpoint on port 18789.

Overall, the supporting content consistently characterizes OpenClaw as a legitimate but high-risk autonomous agent platform whose capabilities and local privileges make it attractive for unauthorized installation, post-compromise abuse, credential theft, persistence, and remote control when misconfigured, maliciously extended, or exploited.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2026-34040Docker/Moby AuthZ Plugin Authorization Bypass

A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins under specific circumstances. The vulnerability, tracked as CVE-2026-34040 (CVSS score: 8.8), stems from an incomplete fix for CVE-2024-41110.

via the hacker newsthehackernews.com
CVE-2026-25253OpenClaw gatewayUrl token exfiltration and one-click RCE

We have identified widespread exploitation of OpenClaw (formerly MoltBot and ClawdBot) AI agents by multiple threat groups...

via flareio blogflare.io
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Contagious Interview

the same wallet addresses, Aptos fallback identifiers, XOR keys, and config-file injection pattern appear in public victim reports, including development-team compromise and OpenClaw malware write-ups

via socket blogsocket.dev
TeamPCP

A component called hackerbot-claw uses an AI agent (openclaw) for automated attack targeting.

via snyk blogsnyk.io
MITRE ATT&CK

Techniques & procedures

29 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

2 techniques
T1592Gather Victim Host InformationEvidence1

Hackers use internet mapping engines such as FOFA and 360Quake to identify the External Attack Surface (internet-facing assets). They particularly target high-value groups like fintech companies, Web3 platforms, and security vendors.

T1595Active ScanningEvidence2

Hackers use internet mapping engines such as FOFA and 360Quake to identify the External Attack Surface (internet-facing assets).

Resource Development

1 technique
T1587.001MalwareEvidence1

But OpenClaw is unique in that it can spin out sub-agents writing their own code.

Initial Access

6 techniques
T1078Valid AccountsEvidence1

The incident occurred on Tuesday, when an "unauthorized party" used a compromised token to publish an update to Cline CLI on its npm registry...

T1189Drive-by CompromiseEvidence1

However, when javascript code served by a website running in the user’s browser creates a websocket, it uses the user’s own network interface to make the connection. This means malicious code running in a browser can evade the security restrictions and connect to the browser relay websocket...

T1190Exploit Public-Facing ApplicationEvidence1

The workflow was configured so that any GitHub user could trigger it by opening an issue, but it failed to properly check whether the information supplied in the title was potentially hostile.

T1195Supply Chain CompromiseEvidence4

Someone compromised open source AI coding assistant Cline CLI's npm package earlier this week in an odd supply chain attack ... an "unauthorized party" used a compromised token to publish an update to Cline CLI on its npm registry that installs OpenClaw on users' computers when they install cline@2.3.0.

T1195.001Compromise Software Dependencies and Development ToolsEvidence6

"All prior legitimate releases ... were published via GitHub Actions using OIDC-based Trusted Publishing... Version 2.3.0, however, was published manually by a user account..."

T1566PhishingEvidence1

OpenClaw : Email delivery. Sending a malicious email to the agent ( no human action needed )

Execution

5 techniques
T1053Scheduled Task/JobEvidence1

OpenClaw could create a new attack surface in which AI agents can run for weeks and months, and activate after a long slumber.

T1059Command and Scripting InterpreterEvidence5

можно детектировать процессы openclaw, nanoclaw, nemoclaw, clawdbot, а также наличие на устройстве Node.js и запуск из него bash, python и подобных сервисов

T1059.004Unix ShellEvidence1

"modified package.json with an added postinstall script: 'postinstall": "npm install -g openclaw@latest.'"

T1059.007JavaScriptEvidence3

Once connected, the malicious code can use the Chrome DevTools Protocol to orchestrate the browser – for example, to run javascript in another tab: ws.send(JSON.stringify({ id: 2, method: "Runtime.evaluate", ... params: { expression: "document.cookie" ... } }))

T1072Software Deployment ToolsEvidence1

Microsoft did note a "small but noticeable uptick in installations of OpenClaw initiated by Cline CLI installation script" during the eight-hour supply chain incident on February 17.

Persistence

3 techniques
T1053Scheduled Task/JobEvidence1

OpenClaw could create a new attack surface in which AI agents can run for weeks and months, and activate after a long slumber.

T1078Valid AccountsEvidence1

The incident occurred on Tuesday, when an "unauthorized party" used a compromised token to publish an update to Cline CLI on its npm registry...

T1546.016Installer PackagesEvidence1

"version 2.3.0 of the Cline CLI npm package used a post-install hook to silently download OpenClaw"

Privilege Escalation

3 techniques
T1053Scheduled Task/JobEvidence1

OpenClaw could create a new attack surface in which AI agents can run for weeks and months, and activate after a long slumber.

T1078Valid AccountsEvidence1

The incident occurred on Tuesday, when an "unauthorized party" used a compromised token to publish an update to Cline CLI on its npm registry...

T1546.016Installer PackagesEvidence1

"version 2.3.0 of the Cline CLI npm package used a post-install hook to silently download OpenClaw"

Stealth

1 technique
T1078Valid AccountsEvidence1

The incident occurred on Tuesday, when an "unauthorized party" used a compromised token to publish an update to Cline CLI on its npm registry...

Defense Impairment

1 technique
T1578Modify Cloud Compute InfrastructureEvidence1

"...subtle, persistent configuration changes through normal API calls using legitimate permissions."

Credential Access

4 techniques
T1212Exploitation for Credential AccessEvidence1

The flaw allowed malicious websites to abuse its browser relay server and steal cookies from other tabs open in the same browser. An attacker who can induce a user to visit a malicious site can hijack active sessions from unrelated websites, including from services like gmail or microsoft 365.

T1528Steal Application Access TokenEvidence1

"...granting it broad access to software, including online services, email, login tokens..."; "...maintain persistent tokens across sessions, allowing it to operate without constant re-authentication."

T1539Steal Web Session CookieEvidence1

Among other things, this allows a savvy attacker to steal and exfiltrate session tokens from other tabs, or insert malicious code into these tabs.

T1552.001Credentials In FilesEvidence2

Incidents involving fully permissioned agents, such as OpenClaw, show how exposed admin interfaces, leaked API keys and missing sandboxing create cascading vulnerabilities across connected instances.

Discovery

3 techniques
T1046Network Service DiscoveryEvidence1

The hex packet changed from querying '_clawdbot-gw._tcp.local' (specific service) to '_services._dns-sd._udp.local' (generic DNS-SD enumeration). This returns ALL mDNS services on the target, not just openclaw/clawdbot.

T1083File and Directory DiscoveryEvidence2

Еще одним признаком является появление служебных папок ~/openclaw, ~/nanoclaw, ~/.claw*, ~/clawhub... наличие на компьютере крупных... файлов с весами языковой модели (обычно это файлы .gguf и .bin, реже .safetensors)

T1518Software DiscoveryEvidence1

Проверка наличия на хосте приложения Claude (claude.exe) с помощью EDR/EPP... обнаружить и полноценные приложения: Grammarly Desktop.exe... выявление файлов (cursor.exe, Windsurf.exe)... обнаружить файлы этих ИИ-приложений: ollama.exe... gpt4all.exe

Lateral Movement

1 technique
T1072Software Deployment ToolsEvidence1

Microsoft did note a "small but noticeable uptick in installations of OpenClaw initiated by Cline CLI installation script" during the eight-hour supply chain incident on February 17.

Collection

2 techniques
T1005Data from Local SystemEvidence3

At GTC, Nvidia CEO Jensen Huang highlighted OpenClaw's ability to create agents that can scan file systems, access personal information and communicate with large-language models.

T1119Automated CollectionEvidence2

Researchers noted that the contents were far from a simple data dump. Instead, the server showed a professionally organized operation with scripts for exploitation, victim-data staging, credential harvesting, and access validation all running in one place.

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence2

Runner scripts inside the Bissa scanner framework were hardcoded with a Telegram bot token linked to a bot called @bissapwned_bot. Every time the scanner confirmed a successful React2Shell exploit, the bot sent a structured alert directly to the attacker’s private Telegram chat.

T1105Ingress Tool TransferEvidence1

"post-install hook to silently download OpenClaw"

Exfiltration

2 techniques
T1041Exfiltration Over C2 ChannelEvidence1

Task agent to browse to inbox, take a screenshot and email it (or upload to Agent Commander)... find some source code and then leak it out... you can upload and download images from the compromised host via the agent.

T1567Exfiltration Over Web ServiceEvidence1

"...broad access to ... online services, email..."; "...data leakage... through normal API calls using legitimate permissions."

INDICATORS OF COMPROMISE

IOCs tracked for this family

26 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
3 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
17 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
6 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app12 days ago
domain●●●●●●●●●●●●View more in app1 month ago
hash.md5●●●●●●●●●●●●View more in app1 month ago
hash.md5●●●●●●●●●●●●View more in app1 month ago
hash.md5●●●●●●●●●●●●View more in app1 month ago
hash.md5●●●●●●●●●●●●View more in app1 month ago
ACTIVITY FEED

Recent activity

36 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

36 SOURCESView more in app
socket blogNews
May 31, 2026
Famous Chollima Targets PHP Developers Through Compromised P...

A named malware referenced as sharing the same wallet addresses, XOR keys, and config-file injection pattern as the malicious JavaScript loader in this incident.

Read more
expel blogNews
May 21, 2026
AI malware: The claims are getting wilder, but the reality is more interesting | Expel

OpenClaw is described as a tool installed on victim systems that can be operated via Claude to execute commands, functioning as a remote command execution or access capability in AI-assisted intrusions.

Read more
dark readingNews
May 18, 2026
Shai-Hulud Worm Clones Spread After Code Release

You May Also Like Application Security Supply Chain Attack Secretly Installs OpenClaw for Cline Users

Read more
hackreadNews
May 1, 2026
45,000 Attacks, 5,300+ Backdoors Tied to China-Linked Cybercrime Operation

Agent-based workflow system used to automate campaign stages including planning, review, dispatch, reconnaissance, scanning, validation, and reporting on stolen data.

Read more
+32 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching26

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping29

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.