Bing-boosted fake OpenClaw installers deliver infostealers, GhostSocks malware

Multiple information-stealing payloads and the GhostSocks proxy malware have been distributed by bogus GitHub-hosted installers for the popular open-source AI assistant OpenClaw promoted by Bing's AI search results, reports The Register.

Execution of the malicious GitHub repository 'openclaw-installer', which has been pushed to the top of Bing AI searches for "OpenClaw Windows," facilitated the deployment of various Rust-based loaders that injected infostealers, including Vidar, and a version of the GhostSocks proxy malware that circumvented anti-fraud checks, according to a Huntress analysis. Attackers behind the illicit repository may have also used a novel "stealth packer."

"A number of debugging messages in this sample also provide clues about the functionality of stealth packer, including invoking malware into memory, adding firewall rules, creating hidden ghost scheduled tasks, and potential AntiVM checks to look for mouse movement prior to running decrypted payloads," said Huntress researchers Jai Minton and Ryan Dowd. Such a development comes amid the growing prevalence of OpenClaw scams.