{ "type": "URL", "indicator": "https://clawdex.koi.security", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://clawdex.koi.security", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4196693473, "indicator": "https://clawdex.koi.security", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69833f1ffa4d16b727a549c2", "name": "341 Malicious Clawed Skills Found by the Bot They Were Targeting", "description": "A massive malware campaign dubbed ClawHavoc has been uncovered in the ClawHub marketplace, targeting OpenClaw bots and their users. An AI bot named Alex, working with security researcher Oren Yomtov, discovered 341 malicious skills, including 335 from a single campaign. The malware, identified as Atomic Stealer (AMOS), uses sophisticated techniques to evade detection and steal sensitive data. The attack exploits users' trust in AI assistants, potentially compromising personal and financial information. In response, a new tool called Clawdex has been developed to help bots and users scan for malicious skills before installation.", "modified": "2026-03-06T12:03:42.273000", "created": "2026-02-04T12:44:15.808000", "tags": [ "typosquatting", "crypto wallets", "amos", "malicious skills", "atomic stealer (amos)", "bot security", "supply chain attack", "clawhub", "openclaw" ], "references": [ "https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting" ], "public": 1, "adversary": "ClawHavoc", "targeted_countries": [], "malware_families": [ { "id": "Atomic Stealer (AMOS)", "display_name": "Atomic Stealer (AMOS)", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 6, "hostname": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386916, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698c507b6fa354503c07514d", "name": "EbeeFeb2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:48:43.368000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5", "ipv6240e", "cve20261281 cve", "yara" ], "references": [ "IOCs.3.csv" ], "public": 1, "adversary": "DKnife, Supply chain attack targeting dYdX, RCtea Botnet, ClawHavoc, CrashFix, Prometei", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 122, "FileHash-MD5": 181, "FileHash-SHA1": 169, "FileHash-SHA256": 211, "CVE": 9, "SSLCertFingerprint": 2, "domain": 40, "email": 5, "hostname": 45 }, "indicator_count": 784, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698c53f29613e705f0f89e5a", "name": "EbeeFeb2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T10:03:30.456000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256", "ipv4", "cve20207699 cve" ], "references": [], "public": 1, "adversary": "Campaign involving multi-stage infostealer deployment, Amaranth-Dragon, SystemBC, Notepad++ Compromi", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 158, "FileHash-SHA1": 131, "FileHash-SHA256": 134, "URL": 86, "domain": 71, "hostname": 30, "CIDR": 1, "CVE": 7 }, "indicator_count": 618, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698551261524fd9dc5504d97", "name": "Malicious Bot Skills Signal a Shift in Crypto-Focused Attacks", "description": "The following is a full list of malware-related incidents, which have been uncovered by researchers at the University of California, Los Angeles and the National Security Agency (NSSA) in the United States.", "modified": "2026-03-08T02:01:42.135000", "created": "2026-02-06T02:25:42.287000", "tags": [ "iocs file", "hashes windows", "vmprotect", "amos stealer", "skills", "clawhub", "ethereum gas", "tracker", "insider wallets", "finder", "grabber", "downloader", "malware", "npm security", "package security", "open source security", "threat intelligence", "vulnerability reporting", "intelligence", "oren", "openclaw", "amos", "alex", "vs code", "bots", "gas tracker", "bitcoin", "openclaw bot", "stealer", "telegram", "exodus", "atomic", "desktop", "tools", "crypto", "calendar", "macos", "compromise", "iocs", "github users", "c2 ip", "file hashes", "windows", "filenames" ], "references": [ "https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto", "https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting#heading-9" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Alex", "display_name": "Alex", "target": null }, { "id": "OpenClaw", "display_name": "OpenClaw", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [ "Gas", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 7, "domain": 1, "hostname": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "86 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69844ea4cc64be21a9cedd3d", "name": "341 Malicious Clawed Skills Found by the Bot They Were Targeting", "description": "", "modified": "2026-03-06T12:03:42.273000", "created": "2026-02-05T08:02:44.452000", "tags": [ "typosquatting", "crypto wallets", "amos", "malicious skills", "atomic stealer (amos)", "bot security", "supply chain attack", "clawhub", "openclaw" ], "references": [ "https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting" ], "public": 1, "adversary": "ClawHavoc", "targeted_countries": [], "malware_families": [ { "id": "Atomic Stealer (AMOS)", "display_name": "Atomic Stealer (AMOS)", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69833f1ffa4d16b727a549c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 6, "hostname": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6982b3a072a54715a7b31abc", "name": "Hundreds of AI Bot Extensions Abused to Deliver Credential-Stealing Malware", "description": "Silent Push, a security firm based in London, has identified and identified a major cybercrime campaign targeting high-value enterprises across the globe, and is offering a free webinar to anyone interested in taking part.", "modified": "2026-03-06T02:05:11.613000", "created": "2026-02-04T02:49:04.237000", "tags": [ "silent push", "a demo", "lapsus", "slsh", "push", "sso provider", "news source", "blog book", "supergroup", "january", "service", "hunters", "live", "applovin", "energy", "media", "hunt", "light", "simon property", "iofa", "future attack", "tlp amber", "threat hunting", "difference", "use cases", "resources blog", "enterprise", "attack", "lazarus", "back", "defense", "clawhub", "oren", "openclaw", "amos", "alex", "vs code", "bots", "gas tracker", "bitcoin", "openclaw bot", "stealer", "telegram", "exodus", "atomic", "desktop", "tools", "crypto", "calendar", "macos", "iocs file", "hashes windows", "vmprotect", "amos stealer", "skills", "ethereum gas", "tracker", "insider wallets", "finder", "grabber", "downloader" ], "references": [ "https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Simon Property", "display_name": "Simon Property", "target": null }, { "id": "SLSH", "display_name": "SLSH", "target": null }, { "id": "Alex", "display_name": "Alex", "target": null }, { "id": "OpenClaw", "display_name": "OpenClaw", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [ "Energy", "Healthcare", "Biotech", "Biosciences", "Medical", "Media", "Education", "Hospitality", "Gas", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 6, "domain": 1, "hostname": 2 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs.3.csv", "https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto", "https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting", "https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting#heading-9" ], "related": { "alienvault": { "adversary": [ "ClawHavoc" ], "malware_families": [ "Atomic stealer (amos)" ], "industries": [], "unique_indicators": 21 }, "other": { "adversary": [ "Campaign involving multi-stage infostealer deployment, Amaranth-Dragon, SystemBC, Notepad++ Compromi", "DKnife, Supply chain attack targeting dYdX, RCtea Botnet, ClawHavoc, CrashFix, Prometei", "ClawHavoc" ], "malware_families": [ "Simon property", "Alex", "Macos", "Slsh", "Amos", "Openclaw", "Atomic stealer (amos)" ], "industries": [ "Biotech", "Education", "Gas", "Hospitality", "Biosciences", "Energy", "Medical", "Healthcare", "Media", "Crypto" ], "unique_indicators": 1494 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/koi.security", "whois": "http://whois.domaintools.com/koi.security", "domain": "koi.security", "hostname": "clawdex.koi.security" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69833f1ffa4d16b727a549c2", "name": "341 Malicious Clawed Skills Found by the Bot They Were Targeting", "description": "A massive malware campaign dubbed ClawHavoc has been uncovered in the ClawHub marketplace, targeting OpenClaw bots and their users. An AI bot named Alex, working with security researcher Oren Yomtov, discovered 341 malicious skills, including 335 from a single campaign. The malware, identified as Atomic Stealer (AMOS), uses sophisticated techniques to evade detection and steal sensitive data. The attack exploits users' trust in AI assistants, potentially compromising personal and financial information. In response, a new tool called Clawdex has been developed to help bots and users scan for malicious skills before installation.", "modified": "2026-03-06T12:03:42.273000", "created": "2026-02-04T12:44:15.808000", "tags": [ "typosquatting", "crypto wallets", "amos", "malicious skills", "atomic stealer (amos)", "bot security", "supply chain attack", "clawhub", "openclaw" ], "references": [ "https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting" ], "public": 1, "adversary": "ClawHavoc", "targeted_countries": [], "malware_families": [ { "id": "Atomic Stealer (AMOS)", "display_name": "Atomic Stealer (AMOS)", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 6, "hostname": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386916, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698c507b6fa354503c07514d", "name": "EbeeFeb2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:48:43.368000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5", "ipv6240e", "cve20261281 cve", "yara" ], "references": [ "IOCs.3.csv" ], "public": 1, "adversary": "DKnife, Supply chain attack targeting dYdX, RCtea Botnet, ClawHavoc, CrashFix, Prometei", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 122, "FileHash-MD5": 181, "FileHash-SHA1": 169, "FileHash-SHA256": 211, "CVE": 9, "SSLCertFingerprint": 2, "domain": 40, "email": 5, "hostname": 45 }, "indicator_count": 784, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698c53f29613e705f0f89e5a", "name": "EbeeFeb2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T10:03:30.456000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256", "ipv4", "cve20207699 cve" ], "references": [], "public": 1, "adversary": "Campaign involving multi-stage infostealer deployment, Amaranth-Dragon, SystemBC, Notepad++ Compromi", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 158, "FileHash-SHA1": 131, "FileHash-SHA256": 134, "URL": 86, "domain": 71, "hostname": 30, "CIDR": 1, "CVE": 7 }, "indicator_count": 618, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698551261524fd9dc5504d97", "name": "Malicious Bot Skills Signal a Shift in Crypto-Focused Attacks", "description": "The following is a full list of malware-related incidents, which have been uncovered by researchers at the University of California, Los Angeles and the National Security Agency (NSSA) in the United States.", "modified": "2026-03-08T02:01:42.135000", "created": "2026-02-06T02:25:42.287000", "tags": [ "iocs file", "hashes windows", "vmprotect", "amos stealer", "skills", "clawhub", "ethereum gas", "tracker", "insider wallets", "finder", "grabber", "downloader", "malware", "npm security", "package security", "open source security", "threat intelligence", "vulnerability reporting", "intelligence", "oren", "openclaw", "amos", "alex", "vs code", "bots", "gas tracker", "bitcoin", "openclaw bot", "stealer", "telegram", "exodus", "atomic", "desktop", "tools", "crypto", "calendar", "macos", "compromise", "iocs", "github users", "c2 ip", "file hashes", "windows", "filenames" ], "references": [ "https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto", "https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting#heading-9" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Alex", "display_name": "Alex", "target": null }, { "id": "OpenClaw", "display_name": "OpenClaw", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [ "Gas", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 7, "domain": 1, "hostname": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "86 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69844ea4cc64be21a9cedd3d", "name": "341 Malicious Clawed Skills Found by the Bot They Were Targeting", "description": "", "modified": "2026-03-06T12:03:42.273000", "created": "2026-02-05T08:02:44.452000", "tags": [ "typosquatting", "crypto wallets", "amos", "malicious skills", "atomic stealer (amos)", "bot security", "supply chain attack", "clawhub", "openclaw" ], "references": [ "https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting" ], "public": 1, "adversary": "ClawHavoc", "targeted_countries": [], "malware_families": [ { "id": "Atomic Stealer (AMOS)", "display_name": "Atomic Stealer (AMOS)", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1553.001", "name": "Gatekeeper Bypass", "display_name": "T1553.001 - Gatekeeper Bypass" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69833f1ffa4d16b727a549c2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 6, "hostname": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6982b3a072a54715a7b31abc", "name": "Hundreds of AI Bot Extensions Abused to Deliver Credential-Stealing Malware", "description": "Silent Push, a security firm based in London, has identified and identified a major cybercrime campaign targeting high-value enterprises across the globe, and is offering a free webinar to anyone interested in taking part.", "modified": "2026-03-06T02:05:11.613000", "created": "2026-02-04T02:49:04.237000", "tags": [ "silent push", "a demo", "lapsus", "slsh", "push", "sso provider", "news source", "blog book", "supergroup", "january", "service", "hunters", "live", "applovin", "energy", "media", "hunt", "light", "simon property", "iofa", "future attack", "tlp amber", "threat hunting", "difference", "use cases", "resources blog", "enterprise", "attack", "lazarus", "back", "defense", "clawhub", "oren", "openclaw", "amos", "alex", "vs code", "bots", "gas tracker", "bitcoin", "openclaw bot", "stealer", "telegram", "exodus", "atomic", "desktop", "tools", "crypto", "calendar", "macos", "iocs file", "hashes windows", "vmprotect", "amos stealer", "skills", "ethereum gas", "tracker", "insider wallets", "finder", "grabber", "downloader" ], "references": [ "https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Simon Property", "display_name": "Simon Property", "target": null }, { "id": "SLSH", "display_name": "SLSH", "target": null }, { "id": "Alex", "display_name": "Alex", "target": null }, { "id": "OpenClaw", "display_name": "OpenClaw", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [ "Energy", "Healthcare", "Biotech", "Biosciences", "Medical", "Media", "Education", "Hospitality", "Gas", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 6, "domain": 1, "hostname": 2 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://clawdex.koi.security", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://clawdex.koi.security", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780416134.7382329 }