{ "type": "Domain", "indicator": "trackpipe.dev", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/trackpipe.dev", "alexa": "http://www.alexa.com/siteinfo/trackpipe.dev", "indicator": "trackpipe.dev", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4257439419, "indicator": "trackpipe.dev", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "69fa3aacdd4e111bac9bad11", "name": "Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader", "description": "In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive \"DeepSeek-Claw\" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.", "modified": "2026-05-06T09:50:34.218000", "created": "2026-05-05T18:45:00.523000", "tags": [ "remcos", "ghostloader", "deepseek-claw", "openclaw" ], "references": [ "https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "GhostLoader", "display_name": "GhostLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 3, "domain": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386458, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c10792a24c3b8eec93ad9c", "name": "GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer", "description": "The GhostClaw malware campaign has expanded its distribution methods beyond npm packages to include GitHub repositories and AI-assisted development workflows. The attackers impersonate legitimate tools and utilize multi-stage payloads to steal credentials and retrieve additional malicious code. The infection chain involves executing shell commands, presenting fake authentication prompts, and establishing persistence. The campaign leverages both manual installation through README instructions and automated AI-assisted workflows. Multiple GitHub repositories have been identified, all communicating with a common command-and-control infrastructure. This shift in tactics allows the attackers to target a broader range of victims, including developers and users of AI-assisted coding tools.", "modified": "2026-03-23T09:31:05.731000", "created": "2026-03-23T09:27:46.476000", "tags": [ "ghostclaw", "supply-chain-attack", "credential-theft", "ghostloader", "github", "macos" ], "references": [ "https://www.jamf.com/blog/ghostclaw-ghostloader-malware-github-repositories-ai-workflows/" ], "public": 1, "adversary": "GhostClaw", "targeted_countries": [], "malware_families": [ { "id": "GhostClaw", "display_name": "GhostClaw", "target": null }, { "id": "GhostLoader", "display_name": "GhostLoader", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 16, "domain": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386456, "modified_text": "68 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552173, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd2e30c5d49dc249ab2587", "name": "IBCARD_07_05_2026", "description": "The following is the full list of people who have made an impact on the internet, and what they want to know about it: the people of the world, or, more specifically, their own.", "modified": "2026-05-08T00:28:32.766000", "created": "2026-05-08T00:28:32.766000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 27, "FileHash-SHA256": 27, "IPv4": 356, "URL": 6, "domain": 8 }, "indicator_count": 452, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc18195fe7d237ecac39b2", "name": "Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader", "description": "", "modified": "2026-05-07T04:42:01.542000", "created": "2026-05-07T04:42:01.542000", "tags": [ "remcos", "ghostloader", "deepseek-claw", "openclaw" ], "references": [ "https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "GhostLoader", "display_name": "GhostLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [], "TLP": "white", "cloned_from": "69fa3aacdd4e111bac9bad11", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 3, "domain": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fbec7a6f89f2d65fe90793", "name": "IOC - Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader", "description": "OpenClaw, previously known as Clawdbot, Moltbot, and Molty, is an open-source framework designed for autonomous AI agents that execute complex tasks requiring high-privilege local system access. While intended for automation, its modular \"skill\" architecture has been weaponized as a significant attack vector.", "modified": "2026-05-07T01:35:54.680000", "created": "2026-05-07T01:35:54.680000", "tags": [ "msi download", "deepseekclaw", "openclaw skill", "msi installer", "url http", "url https", "remcos rat", "remcos c2", "ghostloader c2", "remcos" ], "references": [ "https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader#indicators-of-compromise--iocs-" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "IPv4": 1, "URL": 4, "domain": 3 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fbcf7b1b584446099e594e", "name": "Malicious OpenClaw Skill Deploys Remcos RAT and GhostLoader via AI Workflows", "description": "", "modified": "2026-05-06T23:32:11.844000", "created": "2026-05-06T23:32:11.844000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "IPv4": 1, "URL": 3, "domain": 3 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd44f15d660f597a2596b4", "name": "EbeeMar2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:16:49.921000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "CIDR": 1, "CVE": 9, "FileHash-MD5": 178, "FileHash-SHA1": 146, "FileHash-SHA256": 274, "domain": 106, "email": 2, "hostname": 103 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c1bf4a476f34783a7c6937", "name": "GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer", "description": "", "modified": "2026-03-23T22:31:38.802000", "created": "2026-03-23T22:31:38.802000", "tags": [ "ghostclaw", "supply-chain-attack", "credential-theft", "ghostloader", "github", "macos" ], "references": [ "https://www.jamf.com/blog/ghostclaw-ghostloader-malware-github-repositories-ai-workflows/" ], "public": 1, "adversary": "GhostClaw", "targeted_countries": [], "malware_families": [ { "id": "GhostClaw", "display_name": "GhostClaw", "target": null }, { "id": "GhostLoader", "display_name": "GhostLoader", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69c10792a24c3b8eec93ad9c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 16, "domain": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "67 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c195f5fae189d57fa8518c", "name": "GhostClaw Expands Beyond npm: GitHub Repositories and AI Workflows Deliver macOS Infostealer", "description": "Early in March, JFrog Security Research documented a malware campaign titled GhostClaw/GhostLoader. Since the original documentation of this campaign, Jamf Threat Labs examined multiple GitHub repositories associated with this same activity, including at least eight newly identified samples. While analyzing these repositories, we uncovered additional infrastructure and previously undocumented infection vectors, demonstrating that this campaign extends beyond the npm-based delivery mechanisms described in earlier research.", "modified": "2026-03-23T19:41:55.871000", "created": "2026-03-23T19:35:17.935000", "tags": [ "ghostclaw", "supply-chain-attack", "credential-theft", "ghostloader", "github", "macos" ], "references": [ "https://www.jamf.com/blog/ghostclaw-ghostloader-malware-github-repositories-ai-workflows/" ], "public": 1, "adversary": "GhostClaw", "targeted_countries": [], "malware_families": [ { "id": "GhostClaw", "display_name": "GhostClaw", "target": null }, { "id": "GhostLoader", "display_name": "GhostLoader", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "69c10792a24c3b8eec93ad9c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 16, "domain": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c13edab8adbadaa5a171e6", "name": "GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer", "description": "", "modified": "2026-03-23T13:23:49.546000", "created": "2026-03-23T13:23:38.075000", "tags": [ "ghostclaw", "supply-chain-attack", "credential-theft", "ghostloader", "github", "macos" ], "references": [ "https://www.jamf.com/blog/ghostclaw-ghostloader-malware-github-repositories-ai-workflows/" ], "public": 1, "adversary": "GhostClaw", "targeted_countries": [], "malware_families": [ { "id": "GhostClaw", "display_name": "GhostClaw", "target": null }, { "id": "GhostLoader", "display_name": "GhostLoader", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69c10792a24c3b8eec93ad9c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ThreatIntelligence_feed", "id": "376862", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 16, "domain": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 14, "modified_text": "68 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b025bddbc12f855b7f195b", "name": "GhostClaw Malware Impersonates OpenClaw CLI on NPM", "description": "", "modified": "2026-03-10T14:07:57.891000", "created": "2026-03-10T14:07:57.891000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "URL": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "81 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader", "https://www.jamf.com/blog/ghostclaw-ghostloader-malware-github-repositories-ai-workflows/", "https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader#indicators-of-compromise--iocs-", "IOCs.csv", "IOCs.2026.pdf", "IOCs-May1.csv" ], "related": { "alienvault": { "adversary": [ "GhostClaw" ], "malware_families": [ "Ghostclaw", "Remcos", "Ghostloader" ], "industries": [] }, "other": { "adversary": [ "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "GhostClaw", "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT" ], "malware_families": [ "Ghostclaw", "Remcos", "Ghostloader" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "69fa3aacdd4e111bac9bad11", "name": "Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader", "description": "In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive \"DeepSeek-Claw\" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.", "modified": "2026-05-06T09:50:34.218000", "created": "2026-05-05T18:45:00.523000", "tags": [ "remcos", "ghostloader", "deepseek-claw", "openclaw" ], "references": [ "https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "GhostLoader", "display_name": "GhostLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 3, "domain": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386458, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c10792a24c3b8eec93ad9c", "name": "GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer", "description": "The GhostClaw malware campaign has expanded its distribution methods beyond npm packages to include GitHub repositories and AI-assisted development workflows. The attackers impersonate legitimate tools and utilize multi-stage payloads to steal credentials and retrieve additional malicious code. The infection chain involves executing shell commands, presenting fake authentication prompts, and establishing persistence. The campaign leverages both manual installation through README instructions and automated AI-assisted workflows. Multiple GitHub repositories have been identified, all communicating with a common command-and-control infrastructure. This shift in tactics allows the attackers to target a broader range of victims, including developers and users of AI-assisted coding tools.", "modified": "2026-03-23T09:31:05.731000", "created": "2026-03-23T09:27:46.476000", "tags": [ "ghostclaw", "supply-chain-attack", "credential-theft", "ghostloader", "github", "macos" ], "references": [ "https://www.jamf.com/blog/ghostclaw-ghostloader-malware-github-repositories-ai-workflows/" ], "public": 1, "adversary": "GhostClaw", "targeted_countries": [], "malware_families": [ { "id": "GhostClaw", "display_name": "GhostClaw", "target": null }, { "id": "GhostLoader", "display_name": "GhostLoader", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 16, "domain": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386456, "modified_text": "68 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552173, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd2e30c5d49dc249ab2587", "name": "IBCARD_07_05_2026", "description": "The following is the full list of people who have made an impact on the internet, and what they want to know about it: the people of the world, or, more specifically, their own.", "modified": "2026-05-08T00:28:32.766000", "created": "2026-05-08T00:28:32.766000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 27, "FileHash-SHA256": 27, "IPv4": 356, "URL": 6, "domain": 8 }, "indicator_count": 452, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc18195fe7d237ecac39b2", "name": "Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader", "description": "", "modified": "2026-05-07T04:42:01.542000", "created": "2026-05-07T04:42:01.542000", "tags": [ "remcos", "ghostloader", "deepseek-claw", "openclaw" ], "references": [ "https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "GhostLoader", "display_name": "GhostLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [], "TLP": "white", "cloned_from": "69fa3aacdd4e111bac9bad11", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 3, "domain": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fbec7a6f89f2d65fe90793", "name": "IOC - Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader", "description": "OpenClaw, previously known as Clawdbot, Moltbot, and Molty, is an open-source framework designed for autonomous AI agents that execute complex tasks requiring high-privilege local system access. While intended for automation, its modular \"skill\" architecture has been weaponized as a significant attack vector.", "modified": "2026-05-07T01:35:54.680000", "created": "2026-05-07T01:35:54.680000", "tags": [ "msi download", "deepseekclaw", "openclaw skill", "msi installer", "url http", "url https", "remcos rat", "remcos c2", "ghostloader c2", "remcos" ], "references": [ "https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader#indicators-of-compromise--iocs-" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "IPv4": 1, "URL": 4, "domain": 3 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fbcf7b1b584446099e594e", "name": "Malicious OpenClaw Skill Deploys Remcos RAT and GhostLoader via AI Workflows", "description": "", "modified": "2026-05-06T23:32:11.844000", "created": "2026-05-06T23:32:11.844000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "IPv4": 1, "URL": 3, "domain": 3 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd44f15d660f597a2596b4", "name": "EbeeMar2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:16:49.921000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "CIDR": 1, "CVE": 9, "FileHash-MD5": 178, "FileHash-SHA1": 146, "FileHash-SHA256": 274, "domain": 106, "email": 2, "hostname": 103 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "trackpipe.dev", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "trackpipe.dev", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780180215.1133351 }