OpenClaw Trap: AI-Assisted Lure Factory Targets Developers & Gamers

Netskope Threat Labs discovered and analyzed a large-scale malware campaign (“TroyDen’s Lure Factory”) that trojanizes GitHub repositories (developer tools, game cheats, phone trackers, etc.) to deliver a Prometheus-obfuscated LuaJIT loader. The two-component payload (renamed Lua runtime + encrypted Lua script) evades automated sandboxes via multiple anti-analysis checks and an extreme Sleep, then disables proxy detection, geolocates the host, captures full-desktop screenshots and posts them to C2 servers in Frankfurt which return encrypted task/loader blobs; more than 300 delivery packages and multiple C2 nodes were observed and Netskope provided IOCs for detection and response.