TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GBHackers

Malicious OpenClaw Skill Targets Agentic AI Workflows to Deploy RATs and Stealers

Mayura Kathir · 3 hours ago · Read original ↗

ATT&CK techniques detected

4 predictions
T1056.001Keylogging
84%
“##p / tls c2 channel, logs keystrokes, steals browser cookies from local sqlite databases, and provides an interactive reverse shell, with configuration stored in an rc4 ‑ encrypted resource that defines persistence, stealth mode, and c2 endpoints. if a user or ai agent follows t…”
T1055.001Dynamic-link Library Injection
83%
“systems, the skill. md file includes a powershell one ‑ liner that silently invokes msiexec to download and install a remote msi package. the msi drops a legitimate gotomeeting executable ( g2m. exe ) alongside a malicious g2m. dll, abusing dll search order hijacking to sideload …”
T1059.001PowerShell
67%
“systems, the skill. md file includes a powershell one ‑ liner that silently invokes msiexec to download and install a remote msi package. the msi drops a legitimate gotomeeting executable ( g2m. exe ) alongside a malicious g2m. dll, abusing dll search order hijacking to sideload …”
T1195.001Compromise Software Dependencies and Development Tools
34%
“malicious openclaw skill targets agentic ai workflows to deploy rats and stealers openclaw ’ s agent “ skill ” ecosystem to deliver both remcos rat and a cross ‑ platform stealer called ghostloader by hiding malware inside a deceptive deepseek integration called “ deepseek ‑ claw…”

Summary

OpenClaw’s agent “skill” ecosystem to deliver both Remcos RAT and a cross‑platform stealer called GhostLoader by hiding malware inside a deceptive DeepSeek integration called “DeepSeek‑Claw.” The campaign shows how agentic AI workflows with high local privileges can be quietly hijacked through manipulated installation instructions rather than classic exploit chains. OpenClaw, formerly known as Clawdbot and […]

The post Malicious OpenClaw Skill Targets Agentic AI Workflows to Deploy RATs and Stealers appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.