The highly popular and risk-riddled OpenClaw personal AI assistant is being used by bad actors to target users with a malicious GitHub repository that delivers fake installers that deploy infostealers and GhostSocks, a proxy malware that allows attackers to route their traffic via a victim’s residential network and bypass protections.

The fraudulent OpenClaw installers, which were difficult to detect, distributed the infostealers through a packer dubbed “Steal Packer” in a campaign that ran from Feb. 2 through 10, according to threat researchers with cybersecurity firm Huntress. The packer also would run GhostSocks on Microsoft Windows systems and Atomic macOS Stealer (AMOS) on Apple macOS systems.

Huntress researchers detected the threat on Feb. 9 after a user alerted them that they had downloaded and ran an installer from GitHub that was posing as OpenClaw Installer for Windows. GitHub has since taken down both the repository and organization behind it, according to Huntress researchers Jai Minton and Ryan Dowd.

The campaign was the latest example of the security threat posted by OpenClaw, which was released in November 2025 and has since been widely embraced by people using the self-hosted AI agent that integrates with apps like WhatsApp, Telegram and Discord for such tasks as summarizing conversations, scheduling meetings, executing code, managing calendars, and booking flights.

New Technology Attracts Bad Actors

“With any new popular technology or global change that impacts a large number of people comes threat actors who are willing to capitalize on it to steal credentials and sell access to others for personal gain,” Minton and Dowd wrote in a report. “So, it’s no surprise that threat actors have begun using the popularity of OpenClaw to trick unsuspecting users into installing malware on their machines.”

“Even with a legitimate OpenClaw installation, users face a significant risk, as OpenClaw configurations contain an array of sensitive information, including passwords, API keys, and more,” they added. “If an information stealer compromises the system, it can harvest not only account credentials but also sensitive OpenClaw configuration files. … Just because software is hosted on a trusted platform doesn’t mean that it’s not malicious.”

Abusing Trust

OpenClawd AI this week updated the platform used for OpenClaw, noting that has garnered more than 250,000 stars on GitHub, more than 48,000 forks, and more than 1.5 million weekly npm downloads.

The threat actors behind the fake OpenClaw installer were helped by hosting the malware on GitHub and that the malicious repository was a top-rated recommendation when users searched for “OpenClaw Windows” on Microsoft Bing’s AI results. This made it “highly likely that other users would have fallen victim to this attack had Huntress not reported the malicious repository and GitHub not been so responsive in taking it down,” Minton and Dowd wrote.

“Just because software is hosted on a trusted platform doesn’t mean that it’s not malicious,” they warned.

Adding to the trust factor was that the installer was tied to a GitHub organization called “openclaw-installer.”

‘Bloated’ Executables

Inside of OpenClaw-Installer is mostly legitimate code from a Cloudflare project, moltworker, and has no connection to the executables that are found in the releases section, according to the researchers. Inside that section is a “bloated binary named OpenClaw_x64.exe, which was inside a 7-Zip archive.

When executed, OpenClaw_x64.exe deployed a range of malware to the endpoint, with many of them being quarantined by Microsoft’s Windows Managed AV and Managed Defender for Endpoint, with most of them being Rust-based loaders aimed at running infostealers in memory.

In addition, the bad actors used stealth packer, a packer that included such functionality as invoking malware into memory, creating firewall rules and hidden ghost scheduled tasks, and possibly making AntiVM check to detect mouse movement to ensure it wasn’t in a virtual machine before running decrypted payloads.

There also was GhostSocks, a tool that had been used by the operators behind the BlackBasta ransomware to establish persistent access to a system. This version of GhostSocks used TLS for connects, which Minton and Dowd wrote “is a change to original variants, which would use unencrypted HTTP. Interestingly, this variant contained a check for a particular argument (–johnpidar) which if provided would launch the malware in debugging mode, providing more insight into its configuration.”

Targeting macOS

The GitHub account that delivered the malware for macOS was similar to the one for Windows, but instead pulled and ran malware from another repository called “dmg” created by an organization called “puppeteerrr,” which the researchers call “a major red flag.”

“Much like the first [Windows] account, the second account, which created the organization and repository, was also first opened in September, and had no public activity up until early February when the malicious organization puppeteerrr and associated repository dmg were created,” they wrote.

Minton and Dowd noted that while writing the report, Huntress researchers found three other organizations and accounts used to distribute similar malicious installers to deploy infostealers.

“Interestingly, one of these mimics the original openclaw-installer and was created a day after the original account, organization, and repository were taken down,” they wrote. “All have been reported to GitHub.”