Threat Actors Distribute GhostSocks and Info-Stealers via Fake OpenClaw Installers

    Wednesday, March 11, 2026 In: Threat Research Print

    Date: 03/11/2026

    Severity: High

    Summary

    Threat actors distributed fake OpenClaw installers through malicious GitHub repositories to infect users with information stealers and the GhostSocks proxy malware. The campaign used a custom Stealth Packer to evade detection and targeted users searching for OpenClaw installers on Windows and macOS. Once infected, GhostSocks allowed attackers to route malicious traffic through victims’ systems, helping bypass MFA and anti-fraud protections. The attack gained visibility because the malicious repository appeared as a top recommendation in Bing’s AI search results, increasing the likelihood of user compromise.

    Indicators of Compromise (IOC) List

    URLs/Domain

    socifiapp.com

    serverconect.cc

    https://socifiapp.com/api/reports/upload

    https://telegram.me/dikkh0k

    https://steamcommunity.com/profiles/76561198742377525

    IP Address

    121.127.33.212

    144.31.123.157

    144.31.139.201

    144.31.139.203

    144.31.204.136

    144.31.204.145

    147.45.197.92

    172.245.112.

    193.143.1.155

    193.143.1.160

    193.23.211.29

    194.28.225.230

    206.245.157.177

    64.188.70.194

    77.239.120.249

    77.239.121.3

    84.201.4.120

    87.251.87.137

    93.185.159.90

    94.228.161.88

    185.196.9.98

    Hash

    518ff5fbfa4296abf38dfc342107f70e1491a7460978da6315a75175fb70e2b3

    f03e38e1c39ac52179e43107cf7511b9407edf83c008562250f5f340523b4b51

    40fc240febf2441d58a7e2554e4590e172bfefd289a5d9fa6781de38e266b378

    fd67063ffb0bcde44dca5fea09cc0913150161d7cb13cffc2a001a0894f12690

    d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e98d27297d819a1809846

    a22ddb3083b62dae7f2c8e1e86548fc71b63b7652b556e50704b5c8908740ed5

    Processname

    C:\Users\REDACTED_USER\Downloads\OpenClaw_x64\OpenClaw_x64.exe

    C:\Users\Public\Pictures\ServiceHost\UpdateAgent\cloudvideo.exe

    C:\Users\Public\Music\AudioController\USBHelper\svc_service.exe

    C:\Users\Public\Pictures\SystemComponent\WindowsDriver\WinHealhCare.exe

    C:\Users\Public\Documents\DriverController\ServiceManager\OneSync.exe

    C:\Users\REDACTED_USER\AppData\Local\Microsoft\OneDriveSyncHost.exe

    C:\Users\REDACTED_USER\AppData\Local\Temp\MicrosoftSync.exe

    C:\Users\REDACTED_USER\AppData\Roaming\Adobe\AdobeCloudHelper.exe

    C:\Users\Public\Documents\GraphicsDriver\IntelAdapter\serverdrive.exe

    %AppData%\Microsoft\Windows\Cache\update.exe

    OpenClawBot

    Registry key

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{BackgroundTask}

    Schedule task

    EdgeUpdateHelper

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "serverconect.cc" or siteurl like "serverconect.cc" or url like "serverconect.cc" or domainname like "https://telegram.me/dikkh0k" or siteurl like "https://telegram.me/dikkh0k" or url like "https://telegram.me/dikkh0k" or domainname like "https://socifiapp.com/api/reports/upload" or siteurl like "https://socifiapp.com/api/reports/upload" or url like "https://socifiapp.com/api/reports/upload" or domainname like "https://steamcommunity.com/profiles/76561198742377525" or siteurl like "https://steamcommunity.com/profiles/76561198742377525" or url like "https://steamcommunity.com/profiles/76561198742377525" or domainname like "socifiapp.com" or siteurl like "socifiapp.com" or url like "socifiapp.com"

    Detection Query 2 :

    dstipaddress IN ("193.143.1.160","193.143.1.155","77.239.120.249","144.31.204.136","206.245.157.177","144.31.204.145","147.45.197.92","94.228.161.88","193.23.211.29","144.31.139.203","84.201.4.120","185.196.9.98","77.239.121.3","121.127.33.212","93.185.159.90","64.188.70.194","87.251.87.137","172.245.112.202","144.31.123.157","144.31.139.201","194.28.225.230") or srcipaddress IN ("193.143.1.160","193.143.1.155","77.239.120.249","144.31.204.136","206.245.157.177","144.31.204.145","147.45.197.92","94.228.161.88","193.23.211.29","144.31.139.203","84.201.4.120","185.196.9.98","77.239.121.3","121.127.33.212","93.185.159.90","64.188.70.194","87.251.87.137","172.245.112.202","144.31.123.157","144.31.139.201","194.28.225.230")

    Detection Query 3 :

    sha256hash IN ("d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e98d27297d819a1809846","fd67063ffb0bcde44dca5fea09cc0913150161d7cb13cffc2a001a0894f12690","40fc240febf2441d58a7e2554e4590e172bfefd289a5d9fa6781de38e266b378","518ff5fbfa4296abf38dfc342107f70e1491a7460978da6315a75175fb70e2b3","f03e38e1c39ac52179e43107cf7511b9407edf83c008562250f5f340523b4b51","a22ddb3083b62dae7f2c8e1e86548fc71b63b7652b556e50704b5c8908740ed5")

    Detection Query 4 :

    resourcesname = "Windows Security" and eventtype = "4688" AND processname IN ("C:\Users\REDACTED_USER\Downloads\OpenClaw_x64\OpenClaw_x64.exe","C:\Users\Public\Pictures\ServiceHost\UpdateAgent\cloudvideo.exe","C:\Users\Public\Music\AudioController\USBHelper\svc_service.exe","C:\Users\Public\Pictures\SystemComponent\WindowsDriver\WinHealhCare.exe","C:\Users\Public\Documents\DriverController\ServiceManager\OneSync.exe","C:\Users\REDACTED_USER\AppData\Local\Microsoft\OneDriveSyncHost.exe","C:\Users\REDACTED_USER\AppData\Local\Temp\MicrosoftSync.exe","C:\Users\REDACTED_USER\AppData\Roaming\Adobe\AdobeCloudHelper.exe","C:\Users\Public\Documents\GraphicsDriver\IntelAdapter\serverdrive.exe","%AppData%\\Microsoft\\Windows\\Cache\\update.exe","OpenClawBot")

    Detection Query 5 :

    technologygroup = "EDR" AND processname IN ("C:\Users\REDACTED_USER\Downloads\OpenClaw_x64\OpenClaw_x64.exe","C:\Users\Public\Pictures\ServiceHost\UpdateAgent\cloudvideo.exe","C:\Users\Public\Music\AudioController\USBHelper\svc_service.exe","C:\Users\Public\Pictures\SystemComponent\WindowsDriver\WinHealhCare.exe","C:\Users\Public\Documents\DriverController\ServiceManager\OneSync.exe","C:\Users\REDACTED_USER\AppData\Local\Microsoft\OneDriveSyncHost.exe","C:\Users\REDACTED_USER\AppData\Local\Temp\MicrosoftSync.exe","C:\Users\REDACTED_USER\AppData\Roaming\Adobe\AdobeCloudHelper.exe","C:\Users\Public\Documents\GraphicsDriver\IntelAdapter\serverdrive.exe","%AppData%\\Microsoft\\Windows\\Cache\\update.exe","OpenClawBot")

    Detection Query 6 :

    resourcesname = "Windows Security" and eventtype = "4657" AND objectname IN ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{BackgroundTask}")

    Detection Query 7 :

    technologygroup = "EDR" AND objectname IN ("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{BackgroundTask}")

    Detection Query 8 :

    resourcesname = "Windows Security" and eventtype = "4698" AND taskname IN ("EdgeUpdateHelper")

    Detection Query 9 :

    technologygroup = "EDR" AND taskname IN ("EdgeUpdateHelper")

    Reference:

    https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer


    Tags

    MalwareThreat ActorAIGitHubInfostealerStealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.