Malicious ClawHub Skills Use External Websites to Hide in Plain Sight
ID: deb644c2-e80e-5d11-9d7f-6b91cd2cf706
STIX ID: report--deb644c2-e80e-5d11-9d7f-6b91cd2cf706
Feed Name: OpenSourceMalware Blog
Date Published: 2026-02-09
Date Updated: 2026-06-20
Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2
## Executive summary OpenSourceMalware identified a campaign where threat actors published ~40 trojanized ClawHub skills that contain benign-looking documentation but instruct users to install a malicious "OpenClawCLI" from external lookalike websites; this evasion technique moves payloads off the registry (bypassing VirusTotal scans) and uses base64-obfuscated install commands pointing to an IP-based C2 (91.92.242.30). The report lists affected skill names, URLs, and C2 indicators, documents takedown activity, and provides user and defender recommendations (hunt for the Vercel endpoint, block the C2 IP, verify official repositories).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
