Malicious OpenClaw DeepSeek Skill Exploits Agentic AI Workflows to Deliver RAT and Stealer

A cleverly disguised malware campaign is targeting developers and AI-driven systems by hiding inside what looks like a legitimate plugin for an open-source AI framework.

Security researchers have uncovered a threat that takes full advantage of how modern AI agents work, using their automated nature as a weapon against the very users they are meant to help.

The malware, delivered through a fake “DeepSeek-Claw” skill for the OpenClaw framework, has two main goals: gain remote control over infected machines and steal sensitive data.

It accomplishes both by tailoring its attack to the operating system it lands on, making it a versatile and persistent threat that works across Windows, macOS, and Linux systems all at once.

Researchers at Zscaler ThreatLabZ were the ones who identified this campaign in March 2026. Their analysis revealed that the threat actor published the deceptive skill on GitHub, knowing that AI agents and developers would likely pull it into automated workflows without a second thought.

By embedding hidden commands inside a standard instruction file, the attacker bypassed the need for any traditional phishing or social engineering.

Once the malicious skill is downloaded, the attack splits into two distinct paths depending on how the installation is triggered. Windows users following the automated AI-driven path end up infected with Remcos RAT, a powerful remote access tool.

Those on macOS, Linux, or Windows using the manual path instead get hit with GhostLoader, a cross-platform stealer designed to drain developer environments of credentials and sensitive data.

The reach of this attack goes well beyond individual machines. With Remcos giving attackers a full remote shell and GhostLoader scooping up cloud tokens, SSH keys, and browser session cookies, a single compromised developer could expose an entire organization’s infrastructure within minutes of running what looked like a completely normal install command.

How the OpenClaw Skill Attack Unfolds

The OpenClaw framework, formerly known as Clawdbot and Moltbot, is an open-source tool built to let AI agents carry out complex, high-privilege tasks on local systems. Its modular “skill” design is exactly what the attacker exploited.

The fake DeepSeek-Claw skill appeared legitimate on the surface, but its SKILL.md file hid a poisoned PowerShell command that silently downloaded and ran a remote Windows Installer package from a threat actor-controlled server.

That installer dropped two files onto the system: a genuine, digitally signed GoToMeeting executable and a malicious DLL disguised as its dependency. When the trusted application ran, it loaded the fake DLL instead, a technique known as DLL sideloading.

The malicious DLL then patched key Windows security tools in memory to blind them before decrypting and launching Remcos RAT, which opened an encrypted channel back to the attacker.

Remcos set itself to stealth mode immediately upon execution, logging keystrokes, stealing browser cookies, and giving the attacker an interactive reverse shell with the ability to run any command on the infected host.

The entire execution chain, from a fake AI skill to full remote control, required no user awareness beyond a single automated install step triggered by an AI agent.

GhostLoader and the Developer Data Threat

The alternate attack path, built for macOS and Linux environments, used a heavily obfuscated Node.js file buried inside npm lifecycle scripts. When the install command ran, it silently dropped GhostLoader onto the system.

On macOS and Linux, the malware also displayed fake password prompts to trick users into handing over their credentials directly.

Once active, GhostLoader swept through the host for anything valuable: macOS Keychain data, SSH keys, cryptocurrency wallet files, and cloud API tokens. All of it was sent back to attacker-controlled servers.

Zscaler’s analysts noted that as AI agents become standard in development pipelines, supply chain poisoning through fake skills is a growing threat. Organizations should thoroughly vet all third-party plugins and enforce strict behavioral monitoring for any tools that interact with privileged local resources.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
MD5 Hash	1c267cab0a800a7b2d598bc1b112d5ce	“DeepSeek-Claw” named OpenClaw Skill
MD5 Hash	2A5F619C966EF79F4586A433E3D5E7BA	MSI Installer
URL	hxxps://cloudcraftshub[.]com/api	MSI download URL
URL	hxxp://dropras[.]xyz/	MSI download URL
URL	https://github.com/Needvainverter93/deepseek-claw	Malicious GitHub repository
MD5 Hash	CC1AF839A956C8E2BF8E721F5D3B7373	Shellcode loader (g2m.dll)
MD5 Hash	2C4B7C8B48E6B4E5F3E8854F2ABFEDB5	Remcos RAT payload
IP:Port	146[.]19.24[.]131:2404	Remcos RAT C2 server
URL	hxxps://trackpipe[.]dev	GhostLoader C2 server

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.