stealth packer
Stealth Packer is a previously undocumented malware packer/implant framework observed in fake OpenClaw installer campaigns in 2026. It is associated with the Rust-based Hologram/Pathfinder activity and earlier Huntress-observed malicious GitHub installer campaigns. The malware shares the internal project name "stealth_packer," and Huntress also identified a PDB reference to stealth_packer and a mutex named Global\StealthPackerMutex_9A8B7C in related samples.
High-confidence reporting describes Stealth Packer as a post-exploitation implant used alongside a large padded Rust dropper and Telegram-bot update droppers. It was delivered through trojanized OpenClaw installers distributed via a fake site at openclaw-installer.com and typosquatted or malicious GitHub repositories impersonating OpenClaw installers. The broader campaign targeted credentials and data from cryptocurrency wallets including Ledger and MetaMask, more than 250 browser extensions, password managers, and 2FA authenticators; Huntress also noted broad targeting of users searching for OpenClaw installers rather than a specific industry.
Capabilities directly attributed in the content include in-memory malware execution/injection, firewall rule modification, creation of hidden or ghost scheduled tasks, and possible anti-VM or anti-sandbox mouse-movement checks. Netskope’s reporting on the associated framework describes additional behavior across the stage-2 binaries sharing the stealth_packer project name: anti-analysis checks, retrieval of payload passwords from Telegram dead-drop services, staging via Azure DevOps, C2 relay through Hookdeck, HTTPS beaconing, in-memory .NET execution via clroxide, reflective PE loading via memexec, persistence via startup LNKs, Run registry autoruns, WinLogon Userinit hijacking, scheduled tasks, and COM hijacking, plus thread injection using direct NT syscalls. The campaign used Telegram channel descriptions as dead-drop infrastructure for C2 resolution.
Associated infrastructure and artifacts mentioned in the content include openclaw-installer.com, Azure DevOps staging, Hookdeck relay infrastructure, Telegram dead-drop channels, the primary C2 frr.rubensbruno.adv.br in the Hologram wave, and YARA coverage for the Stealth Packer implant in a hologram.yar file. The malware is linked in reporting to the Hologram and Pathfinder campaign waves and to fake OpenClaw installer operations documented by Netskope Threat Labs and Huntress.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
4 techniques
Stealth
Defender is killed in full... with every cmdlet name string-fragmented at runtime to defeat static PS1 detection rules.
hologram.yar : Yara rules to identify the Hologram/Pathfinder dropper, Stealth Packer implant, packed in-memory loader, and Telegram-bot dropper components
Discovery
1 technique
Discovery
Command and Control
3 techniques
Command and Control
IOCs tracked for this family
33 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modular multi-binary loader/framework delivered by Hologram. It includes components for fingerprinting, C2 communications, in-memory CLR execution, reflective PE loading, persistence, COM hijacking, and thread injection, and supports credential theft targeting browser extensions and Ledger Live-related data.
A previously unreported packer used to load/decrypt and invoke payloads in memory; observed functionality hints include adding firewall rules, creating hidden scheduled tasks, and possible anti-VM checks (e.g., mouse-movement gating) before running decrypted payloads.
Stealth Packer is described as a new packer that injects malware into memory, adds firewall rules, creates hidden ghost scheduled tasks, and may perform AntiVM checks for mouse movement before running decrypted payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.