Hackers exploit OpenClaw to spread malware via GitHub - and a little help from Bing

News
By published

OpenClaw's popularity is proving a great vessel for malware distribution

Microsoft OpenClaw
(Image credit: Fortune)
  • Cybercriminals exploit OpenClaw’s popularity with fake variants
  • Malicious GitHub repos deliver Vidar and GhostSocks malware
  • Malvertising campaigns spread tainted installers via Bing

Whenever a new trendy app or software emerges, cybercriminals try to capitalize on it by smuggling tainted, or outright fake, variants. We’ve seen it numerous times before, for example when ChatGPT first came out.

Now, we’re seeing the same with OpenClaw, the open source AI agent platform which grew immensely popular due to its ability to run tasks directly on a computer, such as reading files, sending messages, or running commands. It is currently one of the most popular AI projects, with more than 100,000 stars on GitHub.

However, there are also fake variants on GitHub that deploy various malware families to the victims - and in a new report, security researchers Huntress said the primary payload is Vidar, an infostealer that collects sensitive data such as credentials and user information from apps like Telegram. It is being dropped through loaders that execute the stealer directly in memory.

Malvertising on Bing

The loaders also sometimes deploy GhostSocks, a proxy malware that turns infected machines into residential proxies. Criminals use these proxies to route malicious traffic, often selling it as a service.

According to Huntress, these fakes were added to GitHub on February 2, and remained there until February 10, when they were spotted and removed.

Being hosted on GitHub was dangerous enough, since the platform is regarded as trustworthy and millions of people use it every day (despite it often being used as a launchpad for malware distribution). Making matters worse was a malvertising campaign on Bing.

The researchers said they spotted the attack when a user downloaded and ran the fake installer. "Analysis revealed that this user had searched for the term OpenClaw Windows through Bing and had the AI suggestion link directly to a newly created malicious GitHub repository openclaw-installer," they explained.

Whenever a new popular app comes along, cybercriminals start advertising fake variants on popular networks. Sometimes they’ll advertise a non-existent premium version, and sometimes a version for an unsupported platform.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.