"$ tmpdir ( a random location under / var / folders ), while all extended attributes are stripped from the file. this is likely in an attempt to circumvent gatekeeper controls ; however, curl will not add the com. apple. quarantine flag, which renders this largely unnecessary. exe…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
92%
"log, md, text, json, env, xlsx, xls, ods, docx, png, and doc. figure 20 : applescript prompt for administrative credentials figure 21 : infostealer script executed once administrative credentials and tcc privileges have been provided once the filegrabber method has captured the t…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027.002Software Packing
85%
"and their associated indicators are included in the indicators of compromise section at the bottom of this blog. however, some notable binaries were named cloudvideo. exe, svc _ service. exe, and serverdrive. exe. cloudvideo. exe is a vidar stealer payload that reaches out to bot…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
80%
", promoting a different github repository openclaw - trading - assistant, under the organisation molt - bot. this issue was closed shortly after to remove traces of self - promotion, and an identical issue was raised before a member of openclaw closed it off as spam. figures 6 : …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
69%
"openclaw - installer source within the releases section, the malicious executable can be found named openclaw _ x64. exe inside of a 7 - zip archive. this is a bloated binary that had the original name tradeai. exe. a search for similar files on virustotal revealed three other sa…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
60%
"##aw to trick unsuspecting users into installing malware on their machines. on monday, february 9, huntress was alerted to a system showing signs of infection after a user downloaded and ran an installer from github posing as an openclaw installer for windows. this came as the to…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
57%
"openclaw - installer source within the releases section, the malicious executable can be found named openclaw _ x64. exe inside of a 7 - zip archive. this is a bloated binary that had the original name tradeai. exe. a search for similar files on virustotal revealed three other sa…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.002Tool
35%
"the code in the repository. background much like the aliens from toy story who worshipped a claw, openclaw is taking the world by storm and developing a lot of followers. after originally being released as clawdbot in november of 2025, promising to be a personal open - source ai …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027.002Software Packing
30%
"packer is a new packer that injects malware into memory, adds firewall rules, creates hidden ghost scheduled tasks, and performs potential antivm checks for mouse movement before running decrypted payloads. - ghostsocks, a tool previously utilized by the blackbasta ransomware gro…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Huntress warns of fake OpenClaw installers on GitHub deploying malware. Learn how these attacks happen, identify signs of infection, and stay protected.