← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer
WHITE AlienVault 2026-02-23 Modified: 2026-03-25
50
IOCs
MEDIUM VOLUME
A new campaign exploits OpenClaw skills to distribute the Atomic MacOS Stealer (AMOS). This evolution in supply chain attacks manipulates AI agentic workflows to install malware. The campaign spans multiple repositories with hundreds of malicious skills uploaded to ClawHub and SkillsMP. The infection chain begins with a seemingly harmless SKILL.md file that installs a prerequisite, leading to the download of a Mach-O universal binary. This AMOS variant steals extensive data, including credentials, browser data, cryptocurrency wallets, and various user documents. It lacks system persistence but expands its reach by exfiltrating Apple and KeePass keychains. The malware uses sophisticated encryption schemes and targets multiple browsers and cryptocurrency wallets.
amosskillsmpclawhubsupply chain attackstealerai manipulationatomic macos stealer (amos)openclawmacos
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Atomic MacOS Stealer (AMOS)
Indicators of Compromise (50)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0c76e33ddde228e9ce098edf3bf5f06a 2026-02-23
FileHash-MD5 760c89959e2d80f9b78a320023a875b7 2026-02-23
FileHash-MD5 80ab5ba94b8b4d135453f8cb58be209d 2026-02-23
FileHash-MD5 8611dfd731c27ac1592de60a31c66634 2026-02-23
FileHash-MD5 a37f6403fbf28fa0b48863287f4c5a5d 2026-02-23
FileHash-MD5 a6d19622c8961b781901baec4ab599de 2026-02-23
FileHash-MD5 a8ad1697e8c8823ac7b77557bcb85a24 2026-02-23
FileHash-MD5 b488d8d0cb6ee18af9e5800b66ff1ed9 2026-02-23
FileHash-MD5 b8f295977d4dec2e9bffd6fce2320bd1 2026-02-23
FileHash-MD5 d8ba368e60477651ffb04e8e4f93509b 2026-02-23
FileHash-SHA1 125c5ca2b836cb46533cf690563528b8bd83a50f 2026-02-23
FileHash-SHA1 46a203240b7b06ec66058de2ab459d24c3545993 2026-02-23
FileHash-SHA1 71f101a613cc57745d4a605d0ce6d3c1cd7a4229 2026-02-23
FileHash-SHA1 8a5a5ff3663c4a530cfe975e66a0257f308368c6 2026-02-23
FileHash-SHA1 92a3d22717e6a7d25f74759dc9ec6f72e60c4f17 2026-02-23
FileHash-SHA1 93b3d3925ccc201ab0f16017153a79ef05b8f5c2 2026-02-23
FileHash-SHA1 a396ec79d8e33ca984c7ffc7ee4d7d2caa8412ee 2026-02-23
FileHash-SHA1 ac39f9b861a2c5829a4a841a0277763aa7acd84c 2026-02-23
FileHash-SHA1 c32d9638bc5c1249afc0ba5eac6ed5cc712b9df9 2026-02-23
FileHash-SHA1 f0ec6c8ac195ba88ef7f4e415d977a14d00acca2 2026-02-23
FileHash-SHA256 0e52566ccff4830e30ef45d2ad804eefba4ffe42062919398bf1334aab74dd65 2026-02-23
FileHash-SHA256 1e6d4b0538558429422b71d1f4d724c8ce31be92d299df33a8339e32316e2298 2026-02-23
FileHash-SHA256 233a98cb2c5536dabda0944eb2de8d47ad5ce9371a164fe2a8c29d8c55bc240c 2026-02-23
FileHash-SHA256 30f97ae88f8861eeadeb54854d47078724e52e2ef36dd847180663b7f5763168 2026-02-23
FileHash-SHA256 45d8e56bd86960727bcaa4b5c9f7c3422a22723c23ea5b46b6aa9bc42ed1f9f1 2026-02-23
FileHash-SHA256 5968bd7d3a27a6a17ea73be6ee4b00807e83a786fdfa73cc5d8dbf262426c12c 2026-02-23
FileHash-SHA256 5adb10e107d5075abf485f52a387fb419d06ad84d0df38e75769783f16862273 2026-02-23
FileHash-SHA256 5e4696a2cfdc3336b1ecbc17c1642f6bf7d9a34497161659414dae33fe6225d7 2026-02-23
FileHash-SHA256 95fb8f28d08e19090443bda8bd71bbb79f7c451288a2de6f1ca0ad6fee8b4569 2026-02-23
FileHash-SHA256 998c38b430097479b015a68d9435dc5b98684119739572a4dff11e085881187e 2026-02-23
FileHash-SHA256 a0e66f3067e4aaf5b83e45b7845cc43b2fc96032a4398cab7cc9d11f4f962e91 2026-02-23
FileHash-SHA256 ca96fe6259d602a22951d5d3e244e1b752bf0d20086f445bf7015c8798e7b95b 2026-02-23
FileHash-SHA256 d781d5cabaf5f305bbb8afcd9a54d7ba616bfa7aef5c4d16f6bce3d2bf3b4073 2026-02-23
FileHash-SHA256 ec2920e56f2f62c6a2ed1242747980f6f7343c2404b7ae9a6e975b66b1c24b6d 2026-02-23
FileHash-SHA256 f0a54f2b44e557854b0a5001c4e10185884af945814786f78b86539014f78a16 2026-02-23
FileHash-SHA256 f2cb9de40cb8b7e13e7d2b0b3e426f8503781a35d8bba3715395430e9b5eeb38 2026-02-23
URL http://91.92.242.30/1v07y9e1m6v7thl6 2026-02-23
URL http://91.92.242.30/6wioz8285kcbax6v 2026-02-23
URL http://91.92.242.30/6x8c0trkp4l9uugo 2026-02-23
URL http://91.92.242.30/dx2w5j5bka6qkwxi 2026-02-23
URL http://91.92.242.30/dyrtvwjfveyxjf23 2026-02-23
URL http://91.92.242.30/ece0f208u7uqhs6x 2026-02-23
URL http://91.92.242.30/il24xgriequcys45 2026-02-23
URL http://91.92.242.30/l5ou8r739pc48rwi 2026-02-23
URL http://91.92.242.30/lamq4uerkruo6ssm 2026-02-23
URL http://91.92.242.30/q0c7ew2ro8l2cfqp 2026-02-23
URL https://socifiapp.com/api/reports/upload 2026-02-23
domain socifiapp.com 2026-02-23
URL https://install.app-distribution.net/setup/ 2026-02-23
hostname install.app-distribution.net 2026-02-23
References (1)
↗ https://www.trendmicro.com/en_us/research/26/b/openclaw-skills-used-to-distribute-atomic-macos-stealer.html