Hackers Use Fake OpenClaw Installer to Steal Crypto Wallet and Password Manager Credentials

A dangerous new infostealer campaign is targeting some of the most sensitive data people store on their computers. Disguised as a legitimate installer for OpenClaw, a popular open-source personal AI assistant, the malware silently takes over systems and goes after over 250 browser extensions tied to crypto wallets and password managers. The campaign has been active since at least February 2026.

The attack begins at a convincing fake website, openclaw-installer.com, registered on March 9, 2026, which leads visitors to a file called OpenClaw_x64[.]7z. That archive contains a 130MB Rust-based executable padded with fake documentation to pass security scans. The size was deliberate. It clears antivirus file-size thresholds and breaks automated sandbox upload limits in a single move.

Researchers at Netskope Threat Labs uncovered the campaign and documented what they call the “Hologram” wave, a second and significantly more advanced iteration of the operation.

The dropper’s own manifest makes no attempt to hide its purpose, openly naming itself “Hologram” with the description “Decoy entity generator for tactical misdirection.”

Once the fake installer runs, it checks for signs that it is inside a virtual machine or sandbox. It scans for BIOS strings tied to virtual machines, suspicious software libraries, and hardware profiles that do not match real systems.

Hackers Use Fake OpenClaw Installer

If those checks pass, it waits for actual mouse movement before doing anything else. Automated sandboxes do not move the mouse, so the malware sits still and never gets flagged.

After confirming it is on a real machine, the dropper disables Windows Defender, opens firewall ports, and downloads six modular components that work together. The attacker receives a confirmation in their private Telegram channel once all six modules load successfully.

The credential theft component of this campaign is broad and organized. The malware fetches a targeting list from an attacker-controlled Azure DevOps organization, covering 250 browser extensions.

That list includes 201 crypto wallets such as MetaMask, Phantom, Coinbase, OKX, Rabby, and Ronin, plus 49 password managers and authenticator apps including Bitwarden, LastPass, 1Password, NordPass, KeePass, and Google Authenticator.

Because the list lives in a remote Git repository rather than hardcoded in any binary, the attacker can update targets without rewriting the malware. The list of apps being targeted can quietly grow without triggering new detections. Separately, the malware also accesses Ledger Live data on the filesystem, giving the attacker two independent theft paths.

The six stage-2 modules each carry a specific role. One collects hardware fingerprints to decide whether the victim is worth a full attack. Another opens a persistent connection to the attacker’s server.

A third loads a hidden .NET assembly entirely in memory using a Rust component called clroxide, a technique never before documented in a crimeware campaign. Persistence is layered across registry autoruns, a Windows logon hijack, a scheduled task, and Telegram-based droppers that survive even if the main implant is removed.

A Rapidly Evolving Threat With Rotating Infrastructure

What makes this campaign so hard to shut down is how the attacker handles their infrastructure. The command server address is never hardcoded in the malware. Instead, the implant reads it from a Telegram channel description, so if a domain gets blocked, it pulls a new one on the next check-in. During active analysis, the attacker rotated every layer before findings were published.

All victim data, including usernames, IP addresses, and timestamps, is routed through Hookdeck, a legitimate webhook relay service. This keeps the attacker’s Telegram bot token out of network traffic entirely, making it very difficult to trace the real command backend.

Security teams should watch for behavioral signals that survive domain rotation. These include unusually large installer files, PowerShell launched from dropped binaries with fragmented command names, outbound traffic to webhook relay domains, Azure DevOps connections from non-development processes, and firewall rules being opened programmatically on ports 56001 through 57002. Blocking individual domains alone is not enough. Application-level inspection and behavioral detection are necessary to catch what this campaign is doing inside trusted services.

Indicators of Compromise (IoCs):-

File Hashes

Type	Indicator	Description
SHA256	4014048f8e60d39f724d5b1ae34210ffeac151e1f2d4813dbb51c719d4ad7c3a	OpenClaw_x64[.]exe — Hologram dropper v1.7.16 (Rust, 130MB padded)
SHA256	f03736fadffcb7bef122d25d6ace8044378d4fa455f7f48081a3b32c80eb4ed2	OpenClaw_x64[.]7z — Hologram dropper container archive
SHA256	f554b6f34fd2710929d74af550ddb50633d36eaf0533f2d0cbbde75670676486	OpenClaw_x64[.]exe — Pathfinder dropper v3.7.16 (Rust, 118MB padded)
SHA256	40fc240febf2441d58a7e2554e4590e172bfefd289a5d9fa6781de38e266b378	svc_service[.]exe — Stealth Packer C2 beacon / CLR loader (Hologram)
SHA256	4fcfcb83145223cca6db85e7c840876ec8a56d78efba856ab70287b0e5c8a696	svc_service[.]exe — Stealth Packer C2 beacon wave 2, beacons to 193.202.84.14:56001 (Pathfinder)
SHA256	605096b9729bd8eedab460dbd4baf702029fb59842020a27fc0f99fd2ef63040	virtnetwork[.]exe — Stealth Packer HTTPS C2 tunnel (Hologram)
SHA256	6ae9f9cfa8e638e933ad8b06de7434c395ec68ee9cc4e735069bfb64646bb180	onedrive_sync[.]exe — Reflective PE loader via memexec (Hologram)
SHA256	0c4a9d3579485eaf8801e5ac479cd322ee1e7161b54cc24689b891fa82ba0f1e	audioeq[.]exe — System fingerprinter / recon (Hologram)
SHA256	fd67063ffb0bcde44dca5fea09cc0913150161d7cb13cffc2a001a0894f12690	WinHealhCare[.]exe — Telegram-bot dropper v2.0 (Hologram)
SHA256	d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e98d27297d819a1809846	OneSync[.]exe — Telegram-bot dropper v1.6 (Hologram)
SHA256	787a28aff72f2ecd2f5e75baf284e61bda9ab8dd3905822c6f620cce809952e8	vicloud[.]exe — Vidar infostealer (Pathfinder)
SHA256	1478ccc61b69cee462ea98621ba53adf2de0ce28355c5c4eafaed6d779c8acda	dbau[.]exe — Unknown role (Pathfinder)

Domains

Type	Indicator	Description
Domain	openclaw-installer.com	All waves — Delivery / typosquat site
Domain	hkdk.events	All waves — C2 Hookdeck relay
Domain	dev.azure.com	All waves — Payload staging (org: sagonbretzpr)
Domain	api.telegram.org	All waves — C2 / victim telemetry
Domain	frr.rubensbruno.adv.br	Hologram — Primary C2 (hijacked Brazilian law firm domain)
Domain	mikolirentryifosttry.info	Hologram — Secondary C2
Domain	transcloud.cc	Hologram — C2 for svc_service[.]exe
Domain	steamhostserver.cc	Hologram — C2 rotation
Domain	serverconect.cc	Hologram — C2 rotation and loader staging
Domain	jollymccalister.lol	Hologram — Dead C2
Domain	t.me/b8bz11	Hologram — Telegram dead-drop
Domain	snippet.host	Hologram — Dead-drop
Domain	loclx.io	Hologram — C2 tunnel
Domain	hwd.hidayahnetwork.com	Pathfinder — Primary C2
Domain	zkevopenanu.cfd	Pathfinder — Secondary C2
Domain	Rr3Ueff.pw	Pathfinder — Candidate C2 / dead-drop (unconfirmed)
Domain	t.me/hgo9tx	Pathfinder — Telegram dead-drop
Domain	pastebin.com	Pathfinder — Dead-drop

IP Addresses

Type	Indicator	Description
IP	188.114.97.3	Hologram — Proxy for frr.rubensbruno.adv.br primary C2
IP	45.55.35.48	Hologram — svc_service[.]exe C2 beacon (port 57001); steamhostserver[.]cc / serverconect[.]cc
IP	193.202.84.14	Pathfinder — svc_service[.]exe wave-2 C2 beacon (port 56001)
IP	185.196.9.98	Hologram — transcloud[.]cc resolution (svc_service[.]exe)
IP	91.92.242.30	Hologram — Infrastructure
IP	147.45.197.92	Hologram — Encrypted beacon from nested payload
IP	94.228.161.88	Hologram — Encrypted beacon from nested payload
IP	86.54.42.72	Hologram — jollymccalister.lol historical resolution; dead C2

Dead-drop and Staging URLs

Type	Indicator	Description
URL	https://snippet.host/efguhk/raw	Hologram
URL	https://snippet.host/iqqmib/raw	Hologram
URL	https://snippet.host/wtbtew/raw	Hologram
URL	https://snippet.host/uikosx/raw	Hologram and Pathfinder
URL	https://pastebin.com/raw/M6KthA5Z	Hologram
URL	https://pastebin.com/raw/csi5UqpEw	Hologram
URL	https://pastebin.com/raw/fTxiyhbL	Hologram
URL	https://pastebin.com/raw/mcwWi1Ue	Hologram
URL	https://pastebin.com/raw/w6BVFFWQ	Pathfinder
URL	https://dev.azure.com/sagonbretzpr/	All waves

Mutexes

Type	Indicator	Description
Mutex	GlobalStealthPackerMutex_9A8B7C	svc_service[.]exe, virtnetwork[.]exe
Mutex	Global{CoreTask1461}_	onedrive_sync[.]exe
String	–johnpidar	Developer string in svc_service[.]exe

Registry Keys

Type	Indicator	Description
Registry	HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit	WinLogon Userinit hijack via svc_service[.]exe
Registry	HKCUSoftwareMicrosoftWindowsCurrentVersionRun{NetworkManager}	Autorun persistence via onedrive_sync[.]exe
Registry	HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindowsDefenderHelper	Autorun persistence via svc_service[.]exe

Files and Paths

Type	Indicator	Description
Path	C:UsersPublic	Stage-2 binary drop location
Path	C:ProgramDataMicrosoftWindowsStart MenuProgramsStartupOneDriveSync[.]lnk	Startup persistence LNK
Path	%APPDATA%RoamingDataConfigmanager[.]exe	Dropped secondary executable via onedrive_sync[.]exe
Path	%APPDATA%Ledger Live	Ledger hardware wallet theft target

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.