How Fake OpenClaw Installers Spread GhostSocks Malware

Huntress investigated malicious GitHub repositories posing as OpenClaw installers (2–10 Feb 2026) that distributed information stealers (Vidar, PureLogs, AMOS) and a GhostSocks backconnect proxy, employed a novel in-memory packer “Stealth Packer”, and abused Bing AI search suggestions to drive victims to malicious releases; the report details the infection chain, persistence mechanisms, C2 infrastructure, and extensive IOCs for detection and remediation.