Security firm Huntress published research on March 4, 2026 revealing that threat actors created fake OpenClaw installer repositories on GitHub that were promoted directly by Bing's AI-enhanced search, tricking users into downloading information-stealing malware.
How the Attack Worked
The campaign exploited the massive interest in OpenClaw by creating a GitHub organization called "openclaw-installer" with a legitimate-looking repository and README. When users searched "OpenClaw Windows" on Bing, the AI search feature linked directly to the malicious repository — giving it an appearance of legitimacy.
The repository's releases section contained a file named OpenClaw_x64.exe inside a 7-Zip archive. On execution, it dropped multiple pieces of malware written in Rust designed to run information stealers in memory.
Malware Payload
The fake installer delivered a dangerous cocktail of malware:
- Vidar stealer — harvests Telegram and Steam credentials, with dynamic C2 configuration.
- GhostSocks — converts compromised machines into network proxies, allowing attackers to route traffic through the victim's system to bypass MFA and anti-fraud detections.
- Stealth Packer — a new packer that injects firewall rules and creates scheduled tasks for persistence.
- AMOS variant — targets macOS users with a bash one-liner that downloads a malicious Mach-O binary.
Timeline and Resolution
The threat actor's GitHub account was created in September 2025. On January 30, 2026, they posted promotional spam on the official OpenClaw repository. The malicious campaign was active from February 2 to 10, 2026. Huntress detected an infected system on February 9, and GitHub removed the repositories within 8 hours of the report.
However, researchers identified three additional malicious organizations that appeared after the takedown — including one that was created just a day later.
How to Stay Safe
Huntress researcher Jai Minton advised users to always verify they are downloading from the official OpenClaw repository at github.com/openclaw/openclaw. Using a managed service like OpenClaw Launch eliminates this risk entirely, as instances are deployed from verified official images.