Fake OpenClaw AI Tool Used to Deliver Infostealer via ClickFix Attack Chain

    Tuesday, April 14, 2026 In: Threat Research Print

    Date: 04/14/2026

    Severity: High

    Summary

    This malware campaign attackers distribute an infostealer by impersonating a legitimate OpenClaw AI tool. It leverages a ClickFix social engineering technique, tricking users into manually executing malicious commands, thereby bypassing browser security protections. The attack chain involves fake installers or instructions that deploy the infostealer payload, enabling theft of sensitive data such as credentials and system information. It highlights how threat actors exploit the growing popularity of AI tools and trusted platforms to increase infection success rates. 

    Indicators of Compromise (IOC) List

    Domain : 

    app-clawbot.org

    Hash : 

    d9f0dd48745d5be7ef74ee9f2cb4640ab310a5a7d2f2f01654e15370ac5853eb

    57e74166a3587220e580824d677640c472b63fa728aa3fb8f8ad1b31eb3ac0d6

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "app-clawbot.org" or url like "app-clawbot.org" or siteurl like "app-clawbot.org"

    Detection Query 2 :

    sha256hash IN ("d9f0dd48745d5be7ef74ee9f2cb4640ab310a5a7d2f2f01654e15370ac5853eb","57e74166a3587220e580824d677640c472b63fa728aa3fb8f8ad1b31eb3ac0d6")

    Reference:    

    https://gurucul.com/blog/fake-openclaw-ai-tool-used-to-deliver-infostealer-via-clickfix-attack-chain/ 


    Tags

    MalwarePhishingInfostealerSocial EngineeringClickFixThreat ActorAI

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.