Hologram: The Sophisticated Rust-Based Infostealer Hiding Behind a Fake OpenClaw Installer

Threat actors are significantly raising the bar for credential theft by leveraging highly sophisticated, modular frameworks. A recent campaign has surfaced involving a fake OpenClaw installer used to deploy Hologram—a modular, Rust-based infostealer designed to harvest credentials from over 250 crypto wallets and password manager browser extensions. By masking its activity behind trusted cloud services and messaging platforms, the malware presents a formidable challenge to traditional perimeter defenses.

The infection chain begins at a deceptive domain, openclaw-installer[.]com (registered in March 2026 on Chinese infrastructure), which utilizes Cloudflare to hide its origin. The site directs users to a typosquatted GitHub organization, “openclaw-install/openclaw-installer,” mimicking the legitimate “openclaw/openclaw” project. Users downloading the “software” receive an archive named OpenClaw_x64.7z containing a 130MB Rust-compiled executable, OpenClaw_x64.exe. To bypass antivirus file-size thresholds and sandbox upload limits, the attackers have padded the binary with massive amounts of junk documentation.

Interestingly, the malware’s PE manifest is almost ironically transparent; it identifies itself as version v1.7.16 with the name “Hologram” and the description “Decoy entity generator for tactical misdirection.”

Advanced Evasion and Environmental Profiling

Before executing any malicious logic, the Hologram dropper performs an exhaustive series of anti-analysis checks. According to Netskope Threat Labs, the malware profiles the host environment by inspecting BIOS strings, searching for sandbox-specific DLLs, checking MAC address prefixes, and identifying common “safe” usernames used by researchers. It goes a step further by auditing hardware specifications—CPU cores, RAM, GPU, disk size, and screen resolution—to ensure it is running on a high-value physical machine rather than a virtualized analysis environment.

To defeat automated sandboxes that lack human interaction, the malware employs a “mouse gate” tactic. It remains completely dormant until it detects actual mouse movement, ensuring it only activates when a real user is present.

Once the environment is deemed “safe,” Hologram executes an obfuscated PowerShell payload. This script uses fragmented cmdlet names to evade signature-based detection while performing three critical tasks: disabling Microsoft Defender, opening inbound firewall rules on ports 57001, 57002, and 56001, and retrieving a password from a “dead-drop” URL to download the core payload—a password-protected 7z archive containing six distinct stage-2 binaries.

The ‘Stealth_Packer’ Framework: Modular Maliciousness

The second-stage framework, internally referred to as “stealth_packer,” is a masterclass in modular Rust engineering. To maintain the illusion of legitimacy, the dropper launches a GUI-based installer using the Iced/wgpu graphics framework, complete with standard User Account Control (UAC) prompts.

PE OpenClaw_x64 execution (Source : Netskope).
PE OpenClaw_x64 execution (Source : Netskope).

The framework utilizes several specialized modules to maintain control:

  • virtnetwork.exe & svc_service.exe: These handle HTTPS beaconing. They communicate with a hijacked Brazilian law firm subdomain (frr.rubensbruno.adv.br) and a DigitalOcean-hosted IP.
  • onedrive_sync.exe: This module is responsible for reflectively executing payloads directly in memory using the memexec crate and direct NT syscalls, leaving a minimal footprint on the disk.

A highly sophisticated feature of this campaign is the use of the clroxide Rust crate. This allows the malware to host the .NET Common Language Runtime (CLR) inside a native Rust process. This enables svc_service.exe to load mscoree.dll and execute .NET assemblies purely in-memory—a technique typically reserved for advanced red-team operations rather than standard malware.

Dynamic Targeting and Command & Control (C2)

One of the most agile aspects of Hologram is its target list. Instead of hardcoding targets, the malware downloads a browser extension manifest from an attacker-controlled Azure DevOps organization. This manifest lists 201 crypto wallets (including MetaMask, Phantom, and Coinbase) and 49 password managers (such as Bitwarden and 1Password). Because this list is hosted in a remote Git repository, the attackers can update their “shopping list” in real-time without needing to recompile or re-distribute the malware.

Fake OpenClaw Graphical Installer Page (Source : Netskope).
Fake OpenClaw Graphical Installer Page (Source : Netskope).

The C2 infrastructure is equally complex, utilizing a “chain of trust” to blend in with legitimate traffic:

  1. Primary C2: Hijacked legitimate domains.
  2. Secondary C2: DigitalOcean cloud infrastructure.
  3. Payload Hosting: Azure DevOps.
  4. Dead-drop Configuration: Telegram.
  5. Application-Layer Relay: Hookdeck. In a first-of-its-kind observation, attackers are using Hookdeck to relay Telegram bot communication and C2 check-ins, ensuring that sensitive backend IPs and bot tokens are never exposed directly on the wire.

Summary for Defenders

The evolution of this campaign—from the initial Vidar/PureLogs wave to the current Hologram and Pathfinder iterations—demonstrates a rapid development cycle. Attackers are constantly rotating domains and cloud endpoints, meaning simple IP reputation blocking is insufficient.

Key Takeaways for Enterprise Security:

  • Move Beyond IP Reputation: The use of sanctioned services like Azure DevOps, Telegram, and Hookdeck means malicious traffic looks identical to legitimate business traffic.
  • Behavioral Detection is Critical: Focus on detecting unusual memory execution (reflective loading), unexpected NT syscalls, and anomalous outbound HTTPS beaconing.
  • Governance: Implement strict browser extension governance to prevent the installation of unauthorized or unvetted extensions.
  • Deep Inspection: Deep application-layer inspection is required to identify the subtle patterns of modular Rust-based frameworks.

Related Articles

Back to top button