Fake OpenClaw Installer Delivers Advanced Credential Theft Capabilities
TL;DR: Netskope Threat Labs has identified a multi-wave cyber campaign utilizing a fake OpenClaw installer that deploys malware designed to infiltrate over 250 cryptocurrency wallet and password manager extensions. The malware, named Hologram, exhibits advanced capabilities to bypass automated security measures and facilitate credential theft.
Main Analysis
Netskope Threat Labs has uncovered a sophisticated threat campaign involving a counterfeit OpenClaw installer that stealthily delivers the Hologram malware. This malicious installer is marked by its attempt to deceive users, as indicated in its manifest stating it functions as a “Decoy entity generator for tactical misdirection.” The malware operates through a dropper mechanism deployed via Azure DevOps, Telegram, and other legitimate platforms that are often whitelisted in corporate environments, complicating detection and response efforts.
The campaign has evolved through at least three documented waves. The second wave introduces Hologram, a previously undocumented Rust-based dropper that features a six-binary modular framework capable of executing multiple post-exploitation techniques. Among its advanced functionalities are COM hijacking, NT syscall thread injection to evade user-mode endpoint detection response (EDR) systems, and the innovative use of the clroxide crate for Reflective PE loading. This combination enables the malware to escape conventional detection and maintain operational resilience through a layered command and control (C2) structure.
As represented in the accompanying diagrams, the Hologram delivery chain initiates from a convincingly crafted domain, openclaw-installer.com, which links to the dropper archive. The significant 130MB size of the payload is notably designed to circumvent security scrutiny through file size limitations. Furthermore, the execution routine incorporates anti-sandboxing mechanisms, such as requiring actual mouse movement to proceed, which effectively thwarts automated analysis.
Defensive Context
This campaign is particularly relevant for organizations dealing with cryptocurrency transactions and user authentication management, as it targets browsers’ extensions directly associated with such tasks. Firms within the financial sector and organizations that employ popular password management solutions should remain vigilant, as they could be prime targets for credential theft stemming from this campaign.
Blocking infrastructure alone is insufficient, as the campaign leverages a dynamic approach to tools and techniques, capable of revamping its C2 layer without recompiling malware. Thus, defenders must be mindful that traditional perimeter defenses which focus on IP blocking may miss the broader behavioral signals indicative of this threat.
Why This Matters
The evolving nature of this campaign showcases an alarming trend in the cyber threat landscape, where attackers methodically adopt cutting-edge techniques and legitimate services to deliver their payloads. With over 250 specific extensions targeted—spanning major crypto wallets and password managers—there is a significant real-world risk of credential compromise for users engaged in digital finance.
Indicators of Compromise (IOCs)
Key indicators of compromise associated with the Hologram wave include:
- Domains: openclaw-installer.com, frr.rubensbruno.adv.br (primary C2), mikolirentryifosttry.info (secondary C2)
- IP Addresses: 45.55.35.48 (C2 beacon), 193.202.84.14 (Pathfinder wave)
- File Hashes:
- OpenClaw_x64.exe: 4014048f8e60d39f724d5b1ae34210ffeac151e1f2d4813dbb51c719d4ad7c3a
- svc_service.exe: 40fc240febf2441d58a7e2554e4590e172bfefd289a5d9fa6781de38e266b378
The resilience and evolving methodologies employed by this threat actor necessitate a proactive approach to monitoring potential indicators of compromise and behavioral anomalies.
