Hackers are exploiting demand for OpenClaw by circulating a counterfeit installer that delivers Hologram, a Rust-based information-stealing framework built to harvest credentials from crypto wallets, password managers and browser extensions.
Security analysis of the campaign shows a polished fake installer site distributing an archive named OpenClawx64.7z. Inside it is OpenClawx64. exe, a bloated 130MB executable designed to appear legitimate while frustrating automated sandbox checks. The payload is tied to a wider abuse pattern in which attackers mimic fast-growing AI tools, open-source projects and developer utilities to reach technically literate users who may hold valuable credentials, tokens or digital assets.
Hologram’s operators appear to have taken particular interest in browser-based stores of secrets. The framework targets more than 250 crypto wallet and password manager extensions, placing private keys, seed phrases, saved passwords, session tokens and authentication cookies at risk. Such data can allow attackers to drain wallets, hijack accounts, bypass multi-factor authentication through stolen sessions and gain access to cloud services used by individuals and organisations.
The campaign’s delivery chain begins with a fake OpenClaw installer page designed to look plausible to users searching for the AI assistant. The site directs visitors towards a GitHub-linked distribution path using names that closely resemble the legitimate project. That technique reflects a broader rise in software supply-chain deception, where attackers rely less on crude phishing messages and more on search results, trusted hosting platforms and professional-looking repositories.
Hologram is not a single-purpose stealer. Security researchers describe it as a modular implant framework with multiple binaries, staged execution and evasive checks. The dropper uses techniques such as mouse-movement gating to reduce the chance of execution inside automated analysis environments. Once it is satisfied that it is running on a real user system, it can retrieve further components and begin credential theft.
A notable feature of the campaign is its reliance on widely used services for command-and-control and payload delivery. Azure DevOps, Telegram and Hookdeck have been observed in the infrastructure chain, helping the malware blend into traffic that many enterprise networks already allow. This use of trusted cloud and messaging platforms complicates detection because blocking such services outright can disrupt legitimate business workflows.
The fake OpenClaw activity fits into a sequence of attacks that began earlier this year when malicious repositories posing as OpenClaw installers were promoted through search and AI-assisted discovery routes. Those earlier attacks delivered information stealers such as Vidar and PureLogs, along with GhostSocks, a proxy tool that can turn a compromised machine into a residential relay for criminal traffic. A victim’s own network address can then be used to mask fraudulent logins or other attacks.
OpenClaw’s appeal has made it a valuable theme for social engineering. The tool’s real purpose — acting as a locally run AI assistant capable of interacting with files, messages, calendars and cloud services — means users may be more willing to grant it broad permissions. Attackers exploit that expectation by presenting malicious installers, fake skills and cloned repositories as convenient ways to install or extend the product.
The risk extends beyond crypto theft. OpenClaw configuration files can contain gateway tokens, device keys, workspace paths and operational instructions for AI agents. If stolen, those files may expose not only account credentials but also the behavioural and access context of a user’s AI assistant. For businesses experimenting with agentic tools, such exposure can create a bridge into internal workflows, cloud accounts and collaboration systems.
Developers and security teams are being urged to treat unofficial installers with suspicion, even when they appear on reputable platforms. GitHub hosting, cloud delivery and clean-looking documentation no longer provide reliable assurance that a package is safe. Attackers increasingly copy legitimate code, pad malicious binaries, create convincing organisation names and exploit the speed at which AI search systems surface software recommendations.
Basic precautions remain important but must be applied rigorously. Users should download OpenClaw only from verified project channels, inspect repository ownership and release history, avoid running one-line installation commands from unknown pages, and scan binaries before execution. Enterprises should monitor for unusual access to browser extension folders, credential stores, Telegram-linked traffic, Hookdeck relay patterns and unexpected Azure DevOps downloads from endpoints that do not normally use those services.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
