← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer
WHITE AlienVault 2026-02-23 Modified: 2026-03-25
50
IOCs
MEDIUM VOLUME
A new campaign exploits OpenClaw skills to distribute the Atomic MacOS Stealer (AMOS). This evolution in supply chain attacks manipulates AI agentic workflows to install malware. The campaign spans multiple repositories with hundreds of malicious skills uploaded to ClawHub and SkillsMP. The infection chain begins with a seemingly harmless SKILL.md file that installs a prerequisite, leading to the download of a Mach-O universal binary. This AMOS variant steals extensive data, including credentials, browser data, cryptocurrency wallets, and various user documents. It lacks system persistence but expands its reach by exfiltrating Apple and KeePass keychains. The malware uses sophisticated encryption schemes and targets multiple browsers and cryptocurrency wallets.
amosskillsmpclawhubsupply chain attackstealerai manipulationatomic macos stealer (amos)openclawmacos
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Atomic MacOS Stealer (AMOS)
Indicators of Compromise (16 / 50 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 0e52566ccff4830e30ef45d2ad804eefba4ffe42062919398bf1334aab74dd65 2026-02-23
FileHash-SHA256 1e6d4b0538558429422b71d1f4d724c8ce31be92d299df33a8339e32316e2298 2026-02-23
FileHash-SHA256 233a98cb2c5536dabda0944eb2de8d47ad5ce9371a164fe2a8c29d8c55bc240c 2026-02-23
FileHash-SHA256 30f97ae88f8861eeadeb54854d47078724e52e2ef36dd847180663b7f5763168 2026-02-23
FileHash-SHA256 45d8e56bd86960727bcaa4b5c9f7c3422a22723c23ea5b46b6aa9bc42ed1f9f1 2026-02-23
FileHash-SHA256 5968bd7d3a27a6a17ea73be6ee4b00807e83a786fdfa73cc5d8dbf262426c12c 2026-02-23
FileHash-SHA256 5adb10e107d5075abf485f52a387fb419d06ad84d0df38e75769783f16862273 2026-02-23
FileHash-SHA256 5e4696a2cfdc3336b1ecbc17c1642f6bf7d9a34497161659414dae33fe6225d7 2026-02-23
FileHash-SHA256 95fb8f28d08e19090443bda8bd71bbb79f7c451288a2de6f1ca0ad6fee8b4569 2026-02-23
FileHash-SHA256 998c38b430097479b015a68d9435dc5b98684119739572a4dff11e085881187e 2026-02-23
FileHash-SHA256 a0e66f3067e4aaf5b83e45b7845cc43b2fc96032a4398cab7cc9d11f4f962e91 2026-02-23
FileHash-SHA256 ca96fe6259d602a22951d5d3e244e1b752bf0d20086f445bf7015c8798e7b95b 2026-02-23
FileHash-SHA256 d781d5cabaf5f305bbb8afcd9a54d7ba616bfa7aef5c4d16f6bce3d2bf3b4073 2026-02-23
FileHash-SHA256 ec2920e56f2f62c6a2ed1242747980f6f7343c2404b7ae9a6e975b66b1c24b6d 2026-02-23
FileHash-SHA256 f0a54f2b44e557854b0a5001c4e10185884af945814786f78b86539014f78a16 2026-02-23
FileHash-SHA256 f2cb9de40cb8b7e13e7d2b0b3e426f8503781a35d8bba3715395430e9b5eeb38 2026-02-23
References (1)
↗ https://www.trendmicro.com/en_us/research/26/b/openclaw-skills-used-to-distribute-atomic-macos-stealer.html