Fake OpenClaw Installer Targets Crypto Wallets and Password Managers

The latest fake OpenClaw campaign illustrates a sophisticated shift in credential‑theft tactics. By packaging a 130 MB Rust executable as a legitimate installer, attackers lure users into running Hologram, which immediately probes the environment for virtual machines, sandbox artifacts, and even requires real mouse movement before proceeding. This “mouse gate” defeats many automated analysis tools, allowing the malware to reach the PowerShell stage that silently disables Microsoft Defender and opens inbound ports 57001, 57002, and 56001 for later communications. The initial dropper then hands off to a six‑module Rust framework, dubbed stealth_packer, that leverages the clroxide crate to embed a .NET CLR inside the native process, enabling reflective, in‑memory execution of additional payloads without touching disk.

Technical depth sets this campaign apart. Modules such as virtnetwork.exe and svc_service.exe manage HTTPS beaconing to a hijacked Brazilian law‑firm subdomain, while on‑demand assets are fetched from an Azure DevOps repository that lists over 200 crypto‑wallet extensions and dozens of password managers. By storing the target list in a Git repo rather than hard‑coding it, operators can update their scope instantly. The use of Hookdeck as an application‑layer relay for Telegram‑based C2 represents the first public documentation of that service being abused, further obscuring traffic within legitimate cloud and messaging platforms. Persistence is reinforced through Run keys, WinLogon hijacking, scheduled tasks, and COM hijacking, making remediation arduous.

For defenders, the campaign underscores the limits of traditional signature‑based and IP‑reputation defenses. The blend of Rust, .NET, and legitimate cloud services creates a low‑profile attack surface that can slip past perimeter filters. Organizations should implement granular browser‑extension governance, enforce strict application‑allow lists, and deploy behavioral analytics capable of detecting anomalous beaconing intervals and unexpected privilege‑escalation patterns. Continuous monitoring of domain reputation, especially for newly registered or hijacked sites, combined with deep packet inspection of TLS traffic to cloud providers, will be essential to disrupt the rotating infrastructure that powers Hologram’s credential‑harvesting operations.