SecurityBrief India - Technology news for CISOs & cybersecurity decision-makers
India
Malicious OpenClaw skill spreads Remcos RAT & GhostLoader
Crypto Cloud Security DevSecOps

Malicious OpenClaw skill spreads Remcos RAT & GhostLoader

Thu, 7th May 2026 (Today)
Sofiah Nichole Salivio
SOFIAH NICHOLE SALIVIO News Editor

Zscaler ThreatLabz has identified a malware campaign that uses a malicious OpenClaw skill to distribute Remcos RAT and GhostLoader, targeting AI agent workflows and developer environments.

The campaign centred on a deceptive "DeepSeek-Claw" skill published for the open-source OpenClaw framework, which supports autonomous AI agents that carry out tasks requiring elevated local system access. The malicious skill included installation instructions that could be executed automatically by AI agents parsing the file or manually by developers following the steps.

On Windows, the main infection path used a PowerShell command embedded in the skill instructions to launch a remote Microsoft Installer package through msiexec. The installer dropped two files: a legitimate GoToMeeting executable, G2M.exe, and a malicious g2m.dll designed to be sideloaded when the signed application started.

The attackers used DLL search order hijacking so that GoToMeeting loaded the malicious DLL instead of the expected dependency. The DLL then acted as an in-memory shellcode loader for Remcos RAT.

Windows path

The shellcode loader used several techniques to avoid analysis, including dynamic API resolution, XOR-based string decryption, and the Tiny Encryption Algorithm in CBC mode to decrypt the final payload in memory.

The malware also altered Windows security functions in memory. It patched EtwEventWrite to suppress event logging and modified AmsiScanBuffer so the payload would be treated as clean by the Antimalware Scan Interface.

Additional checks aimed to detect debugging, sandboxing, and virtualised environments. The loader inspected the Process Environment Block for signs of debugging, measured execution timing to detect sleep acceleration or breakpoints, scanned its own memory for software breakpoint instructions, and looked for processes and mutexes associated with analysis tools and virtual machines.

Once active, Remcos RAT established a TLS-encrypted command-and-control channel over TCP. It could log keystrokes, capture clipboard data, steal browser session cookies from local SQLite databases, and give the attacker an interactive reverse shell for arbitrary command execution.

Configuration details showed the malware was set to operate in "invisible" stealth mode. The analysed sample pointed to a command-and-control address at 146[.]19.24[.]131:2404 and used an RC4-encrypted configuration stored in a resource named SETTINGS.

Cross-platform route

A separate installation path in the same skill triggered GhostLoader, which Zscaler described as a cross-platform information stealer aimed at developer environments. This route applied to macOS, Linux, and manual Windows workflows.

In that branch, bash-based installers launched npm scripts containing an obfuscated Node.js payload named setup.js. On macOS and Linux, the script acted as a dropper and used terminal-based social engineering, including spoofed sudo prompts, to capture user credentials.

GhostLoader then collected data including macOS keychain information, SSH keys, cryptocurrency wallets, and cloud API tokens before sending it to attacker-controlled infrastructure. The command-and-control server identified for that activity was hxxps://trackpipe[.]dev.

Broader pattern

The case highlights how attackers are adapting established malware delivery methods to tools built for AI-driven automation. In this instance, a framework designed to let agents execute complex local tasks became the initial access point because its skill architecture allowed instructions to be embedded in a markdown file that could be trusted or processed automatically.

Zscaler linked the activity to a wider cluster of suspicious repositories using the "claw" naming convention. The list included projects masquerading as integrations or tools tied to trading, coding, and cryptocurrency themes, suggesting a broader effort to seed malicious skills into developer and AI agent workflows.

Indicators of compromise identified in the investigation included the "Deepseek-Claw" skill, the MSI installer, the cloudcraftshub[.]com and dropras[.]xyz infrastructure used for downloads, the shellcode loader, and the final Remcos sample. Zscaler products detect elements of the campaign as Win32.Backdoor.RemcosRat and Win32.Dropper.RemcosRat.

The attack mapped to a range of tactics in the MITRE ATT&CK framework, including software supply chain compromise, malicious file execution, system binary proxy execution, DLL side-loading, defence impairment, sandbox evasion, credential theft, and command-and-control over web protocols. The campaign underscores the risk of allowing third-party skills and plugins to run in AI agent environments without close scrutiny.

"As AI agents become standard enterprise tools, organizations must thoroughly check third-party plugins and maintain strict behavioral monitoring of third-party skills to stop these evolving attack chains," Zscaler ThreatLabz said.

Related stories
Keeper Security launches Agent Kit for AI coding agents
API attacks surge as AI exposure raises cyber risk
Silverfort & SentinelOne unite on AI identity security
AI agents expose major API security gap, Salt warns
Anthropic launches Glasswing AI cyber coalition with partners
Top stories
ServiceNow unveils Otto & expands AI Control Tower
eYou opens public app as users distrust social media
AI inference becomes core operational workload in firms
Upwind expands runtime protection to Windows Server VMs
JFrog unveils Mumbai speaker line-up on AI software risks