Weaponizing the Cloud: How the OpenClaw-Targeting “Hologram” Campaign Uses Telegram, Azure DevOps, and Hookdeck for C2

Security researchers have identified a sophisticated new malware campaign specifically targeting OpenClaw users through highly deceptive social engineering.

This threat actor utilizes a fraudulent installer to deploy a specialized infostealer designed to exfiltrate sensitive credentials from high-value targets, including cryptocurrency wallets like MetaMask and Phantom, as well as industry-standard password managers such as Bitwarden.

The primary delivery mechanism is a 130MB Rust-based executable. To bypass automated security measures, the attackers have implemented a “padding” technique, filling the archive with junk documentation. This is a calculated move to exceed the file-size limits of many antivirus scanners and push the file beyond the upload thresholds of common automated malware sandboxes.

Interestingly, the PE (Portable Executable) manifest lacks the typical obfuscation used to hide intent. The binary is openly labeled “Hologram”, with a description that reads: “Decoy entity generator for tactical misdirection.”

According to Netskope Threat Labs, the campaign leverages a malicious domain, openclaw-installer[.]com, which masquerades as the legitimate OpenClaw project, prompting users to download a Windows installer named OpenClaw_x64.7z.

Upon execution, the installer provides a polished Graphical User Interface (GUI) and a standard User Account Control (UAC) prompt to build user trust. While the user interacts with the “installation,” the malware silently initiates a multi-layered anti-virtualization (anti-VM) routine. By checking BIOS strings, hardware profiles, and specific VM artifacts—and even requiring physical mouse movement before proceeding—the malware effectively evades detection by automated analysis environments.

Technical Breakdown: The Hologram Framework

Once the environment is deemed “safe” (non-virtualized), Hologram executes an obfuscated PowerShell payload. This script performs several critical defensive evasion tasks: it disables Microsoft Defender, establishes multiple folder exclusion paths, and opens inbound firewall ports to prepare for the stage-2 framework communication.

PE OpenClaw_x64 execution (Source : Netskope).
PE OpenClaw_x64 execution (Source : Netskope).

The malware then reaches out to its attacker-controlled infrastructure to pull a password-protected archive and various functional modules. It drops six distinct binaries into the user’s local folders and performs a “check-in” via a Hookdeck relay to a Telegram channel, reporting the victim’s username, public IP, and the precise timestamp of infection.

The second stage is a modular “Stealth Packer” written in Rust, composed of six components that manage persistence, Command and Control (C2) communications, and in-memory execution. The sophistication of this framework is evident in its specialized modules:

  • System Fingerprinting: A module evaluates the victim’s system to determine if they are a “high-value” target worthy of the full implant.
  • C2 Communication: One module utilizes a hijacked Brazilian law firm’s subdomain to beacon via HTTPS, blending in with legitimate web traffic.
  • In-Memory Execution: Utilizing the clroxide Rust crate, the malware can host the .NET Common Language Runtime (CLR) inside a native Rust process. This allows .NET assemblies to run entirely in memory, a high-level technique typically reserved for red-team tools rather than standard criminal malware.
  • EDR Evasion: A custom “entropy reducer” loader is used to decrypt and reflectively execute PE files via direct NT syscalls. This bypasses user-mode EDR hooks that typically monitor the ntdll.dll library.
Raw PS1 file – obfuscated firewall opened inbound (Source : Netskope).
Raw PS1 file – obfuscated firewall opened inbound (Source : Netskope).

Persistence is aggressively multi-layered. The framework manipulates the Windows Registry via Run keys, hijacks the WinLogon Userinit value to ensure execution during the login process, and creates privileged scheduled tasks. Furthermore, independent Telegram-based droppers act as a fallback, capable of re-infecting the system even if the primary components are purged.

Targeted Extention Logic and C2 Infrastructure

The primary objective of the campaign is revealed through its dynamic extension targeting logic. During stage 2, the malware retrieves a plaintext “manifest” from an attacker-controlled Azure DevOps organization. While disguised as a .7z archive, this manifest actually contains a list of 250 browser extensions targeted for credential theft.

OneDriveSync startup link (Source : Netskope).
OneDriveSync startup link (Source : Netskope).

This manifest includes 201 cryptocurrency wallet extensions (such as Coinbase, OKX, Rabby, and Ronin) and 49 password/2FA management tools (including LastPass, 1Password, and Google Authenticator). By hosting this list on a remote server rather than hardcoding it, the attackers can pivot their targets in real-time without needing to recompile or redistribute the malware.

To maintain a low profile, the operators leverage legitimate cloud services for C2 operations. Telegram is used as a “dead-drop” to host C2 domain information within public channel descriptions, while the Hookdeck relay prevents the Telegram bot token from being exposed in direct network traffic. They also rotate secondary endpoints through services like snippet.host and Pastebin.

Key Takeaway for Defenders: This campaign represents a highly mature threat actor. Because they utilize legitimate services (Telegram, Azure DevOps, Hookdeck) for command and control, traditional IP-based blocking is largely ineffective. Organizations must shift focus toward deep inspection of application-layer traffic to these services to identify anomalous patterns and mitigate the risk of advanced infostealers.

Related Articles

Back to top button