Malware

Pathfinder

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1204.002Malicious FileEvidence1

Hologram is a two-wave Rust-based infostealer campaign distributed via a fake installer at openclaw-installer.com

Stealth

1 technique

T1027.002Software PackingEvidence1

hologram.yar : Yara rules to identify the Hologram/Pathfinder dropper, Stealth Packer implant, packed in-memory loader, and Telegram-bot dropper components

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence1

with staging via Azure DevOps and C2 relay through Hookdeck

T1105Ingress Tool TransferEvidence1

The campaign uses a large padded Rust dropper, a post-exploitation implant (Stealth Packer), and Telegram-bot update droppers

INDICATORS OF COMPROMISE

IOCs tracked for this family

15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

9 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

4 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in apptoday

domain●●●●●●●●●●●●View more in app1 day ago

domain●●●●●●●●●●●●View more in app1 month ago

uri●●●●●●●●●●●●View more in app1 month ago

domain●●●●●●●●●●●●View more in app1 month ago

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

netskope blogNews

May 7, 2026

OpenClaw's Hologram: Fake Installer Ships Rust Infostealer - Netskope

A later wave/variant of the fake OpenClaw installer dropper campaign that rotated infrastructure and added new stage-2 binaries, including Vidar. It is described as a dropper variant under the same campaign umbrella.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching15

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.