Fake installers for OpenClaw, an AI agent designed for various tasks, have been found to distribute malware, targeting users who searched for it on Bing. The malicious repositories were hosted on GitHub, raising concerns about the trust users place in such platforms.
Incident Overview
Between February 2 and 10, 2026, users searching for “OpenClaw Windows” on Bing were directed to a malicious GitHub repository named openclaw-installer. This repository contained information stealers and a variant of GhostSocks malware. The incident highlights how quickly cybercriminals exploit trending technologies to deceive users and steal sensitive information.
Exploitation of Trust
The success of this scam can be attributed to two main factors. Firstly, the malware was hosted on GitHub, a platform generally trusted by developers. OpenClaw’s popularity, with tens of thousands of forks on GitHub, made the fake installers appear legitimate. Secondly, the visibility provided by Bing’s AI search results lent further credibility to the malicious repository.
Malware Analysis
Huntress security researchers identified the malware on February 9, after a user downloaded the fake installer. The analysis revealed that the installer, while appearing largely legitimate, contained hidden malware within a 7-Zip archive labeled OpenClaw_x64.exe. Upon execution, it deployed multiple malware components, including loaders written in Rust and an information stealer known as Vidar, which targets user credentials from platforms like Telegram and Steam.
Ongoing Threats
In addition to the Vidar stealer, the malware also included GhostSocks, a proxy malware that converts compromised devices into residential proxies for malicious activities. This variant utilizes TLS for its connections, complicating detection efforts. Huntress researchers noted that the malicious repository and its associated accounts have since been removed, but they identified similar accounts that emerged shortly after the original was taken down, indicating a persistent threat.
Users are advised to exercise caution when downloading software, especially from sources that may appear trustworthy. The incident underscores the importance of verifying the legitimacy of software installations and being aware of potential scams targeting popular technologies like OpenClaw.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
