Weaponizing Agentic AI: How Malicious OpenClaw Skills Deliver Remcos RAT and GhostLoader

In a sophisticated evolution of the software supply chain attack, threat actors are now targeting the “skills” ecosystem of autonomous AI agents. A recent campaign has demonstrated how the OpenClaw framework can be weaponized to deliver both the Remcos RAT and the cross-platform GhostLoader stealer. By masquerading as a productivity integration named “DeepSeek-Claw,” attackers are turning agentic AI workflows into highly privileged malware delivery channels.

Unlike traditional exploits that target software vulnerabilities, this campaign leverages manipulated installation instructions. Because autonomous agents are designed to parse documentation and execute commands to fulfill user requests, they essentially act as an inadvertent execution engine for malicious metadata.

Understanding the OpenClaw Vulnerability Surface

OpenClaw (formerly known as Clawdbot or Moltbot) is an open-source framework designed for autonomous AI agents. These agents are granted high-level system permissions, including the ability to run shell commands, manage local file systems, and automate complex administrative tasks.

The framework’s primary strength—its modular “skill” architecture—is also its greatest security weakness. This architecture allows third-party extensions to run with the full permissions of the agent. In practice, this creates an unguarded software supply chain directly on the host machine. As of early 2026, security researchers have warned that these “skills” are being increasingly repurposed as Trojanized add-ons to facilitate infostealing and remote access.

The “DeepSeek-Claw” Attack Chain

In March 2026, Zscaler ThreatLabz identified a deceptive skill titled “DeepSeek-Claw.” While it purports to integrate OpenClaw with the DeepSeek AI model, the underlying SKILL.md file contains embedded execution paths designed to pivot based on the target environment and installation method.

This polymorphic approach allows the attacker to weaponize both agent-driven workflows (where the AI reads the documentation) and human-driven workflows (where a developer manually follows instructions).

Windows Pathway: DLL Sideloading and Remcos RAT

On Windows systems, the SKILL.md file contains a PowerShell one-liner that utilizes msiexec to silently fetch a remote MSI package. This package employs a classic DLL Search Order Hijacking technique:

The MSI installer deploys a legitimate, digitally signed GoToMeeting executable (G2M.exe) alongside a malicious g2m.dll. When the trusted binary runs, it loads the rogue DLL, granting the attacker code execution under a legitimate process context.

Technical Execution Details:

• Payload Unpacking: The rogue DLL functions as an in-memory shellcode loader. It uses the Tiny Encryption Algorithm (TEA) in CBC mode and XOR operations to decrypt the Remcos RAT payload.
• Defense Evasion: To bypass modern security suites, the loader actively patches Event Tracing for Windows (ETW) and the Antimalware Scan Interface (AMSI). It also employs timing-based sandbox detection and virtualization checks to evade automated analysis.
• Capabilities: Once active, Remcos establishes an encrypted TLS-based Command & Control (C2) channel, providing attackers with keystroke logging, browser cookie theft (via SQLite database access), and a persistent interactive reverse shell.

Cross-Platform Pathway: GhostLoader (GhostClaw)

If the installation follows “manual” paths (such as npm setup or Bash scripts), the skill triggers the GhostLoader (or GhostClaw) attack chain.

• Windows (Node.js): On Windows, the malware is hidden within obfuscated Node.js lifecycle scripts. These are triggered during standard developer tooling setup, making the malicious setup.js appear as a benign dependency.
• macOS and Linux: On Unix-based systems, the attack relies on terminal-based social engineering. It utilizes spoofed sudo password prompts to gain elevated privileges, subsequently exfiltrating SSH keys, macOS Keychain data, cryptocurrency wallets, and cloud provider API tokens.

Mitigation and Defensive Posture

This campaign highlights a critical paradigm shift: the AI agent itself can become the “user” that executes malicious code. To defend against this, organizations must move beyond traditional file-based scanning and adopt behavioral-centric security models.

Recommended Actions:

1. Treat Skills as Untrusted Code: Implement strict provenance checks for any third-party OpenClaw skills. Treat them with the same scrutiny as unvetted npm packages or binaries.
2. Enforce Least Privilege: Segment the hosts running autonomous agents. Limit their ability to invoke shell commands or installers without explicit, human-in-the-loop authorization.
3. Monitor for Evasion Techniques: Deploy EDR solutions capable of detecting ETW/AMSI patching, unusual DLL sideloading patterns, and anomalous npm lifecycle activities.
4. Filesystem Isolation: Restrict the filesystem access of AI agents to specific, non-sensitive directories to prevent the mass exfiltration of SSH keys and configuration files.

Indicators Of Compromise (IOCs)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.