Exposure of TLS Private Key for Myclaw 360 in Qihoo 360 “Security Claw” AI Platform

Keypoints

• Cryptographic validation shows the provided private key matches the public key in the X.509 wildcard certificate for *.myclaw[.]360[.]cn, proving the leak was of an operational key pair.
• The certificate is a wildcard TLS server certificate (CN and SAN include *.myclaw[.]360[.]cn and myclaw[.]360[.]cn) issued by WoTrus RSA DV SSL CA 2 with validity 2026-03-12 to 2027-04-12.
• CT-log analysis indicates the certificate was replaced with a new RSA key pair on 16 March 2026, consistent with emergency key rotation following discovery of the exposure.
• Passive DNS and registration data tie the myclaw.360.cn namespace to Beijing Qihoo Technology Co., Ltd. (360[.]cn), supporting attribution of the infrastructure to Qihoo 360.
• Primary risks include server impersonation, man-in-the-middle decryption, credential/token theft, malicious update delivery, and manipulation of AI inference responses for the Security Claw platform.
• Root cause likely stems from improper build/package controls (CI/CD pipeline included certificate and private key in the installer), reflecting inadequate secrets management during release packaging.
• Impact depends on whether the leaked key was deployed in production and whether any adversary accessed it prior to rotation; further CT logs and passive telemetry are recommended to clarify exposure scope.