Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

ClawHavoc

ClawHavoc is a malware distribution campaign associated with abuse of the OpenClaw AI agent ecosystem, specifically leveraging community “skills” content and documentation to socially engineer users into executing malicious actions. Reporting links ClawHavoc to infrastructure (notably 91.92.242.30) used to deliver payloads and notes that the actor previously used instructions embedded in skill documents to convince users to run a downloaded “agent” or paste Terminal commands, resulting in installation of Windows or macOS malware. The OpenClaw skills architecture—where community-developed skills run with full access to the agent’s tools and data—was cited as an architectural property exploited by ClawHavoc. In related observed activity targeting ClawHub (the OpenClaw skills repository), attackers posted malicious “troubleshooting” comments containing Base64-encoded commands that, when decoded, download a shellcode loader from 91.92.242.30, remove macOS quarantine attributes, and deliver/execute the Atomic macOS (AMOS) infostealer; this activity evaded ClawHub’s VirusTotal-based scanning because scanning covered skill packages rather than user comments. Malicious comments were observed under popular skills (e.g., Trello, Slack, Gog).

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1

"...push users to... paste Terminal commands (and thus download and run Windows or macOS malware)."

T1204User ExecutionEvidence1

"the threat actor is leaving this particular comment on popular legitimate skills..." ... "leveraged instructions in the skill documents to push users to run a downloaded 'agent' or paste Terminal commands"

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
help net securityNews
Feb 23, 2026
Fake troubleshooting tip on ClawHub leads to infostealer infection - Help Net Security

A malware distribution campaign previously associated with the same download IP, using social engineering (instructions in skill documents) to get users to run commands or an “agent” that results in Windows/macOS malware execution.

Read more
cso onlineNews
Feb 9, 2026
OpenClaw integrates VirusTotal malware scanning as security firms flag enterprise risks | CSO Online

Named threat/technique used to exploit OpenClaw’s community “skills” architecture, leveraging the agent’s privileged access to tools/data; described in the context of prompt-injection/natural-language instructions that evade signature-based malware scanning.

Read more
security affairsNews
Feb 8, 2026
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 83

ClawHavoc: 341 Malicious Clawed Skills Found by the Bot They Were Targeting

Read more
security affairsNews
Feb 8, 2026
Security Affairs newsletter Round 562 by Pierluigi Paganini - INTERNATIONAL EDITION

“Malware ClawHavoc: 341 Malicious Clawed Skills Found by the Bot They Were Targeting”

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.