Threat Research

OpenClaw’s Hologram: Fake Installer Ships Rust Infostealer

Netskope
OpenClaw’s Hologram: Fake Installer Ships Rust Infostealer
Netskope Threat Labs uncovered Hologram, a fake OpenClaw installer campaign that uses layered infrastructure, anti-sandboxing, and a six-binary Stealth Packer framework to steal credentials from hundreds of wallet and password-manager extensions. The campaign spans multiple waves and uses Hookdeck, Telegram, Azure DevOps, and compromised domains to hide its command-and-control and deliver evolving payloads such as clroxide, memexec, and Vidar. #OpenClaw #Hologram #StealthPacker #Hookdeck #clroxide #Vidar

Keypoints

  • Hologram is a fake OpenClaw installer campaign delivered as a large Rust dropper archive designed to evade sandboxes and AV thresholds.
  • The malware uses multiple anti-analysis checks, including VM detection, environment scoring, and a mouse-movement gate before executing malicious code.
  • Stage 1 disables Defender, opens firewall ports, and retrieves stage-2 components and passwords from dead-drop infrastructure.
  • The stage-2 Stealth Packer framework is modular and includes persistence, fingerprinting, credential theft targeting, and multiple C2 channels.
  • Advanced techniques include clroxide-based CLR loading, memexec reflective PE execution, WinLogon Userinit hijacking, COM hijacking, and NT syscall thread injection.
  • The campaign uses Telegram, Hookdeck, Azure DevOps, and compromised or staged domains to conceal infrastructure and rotate C2 during analysis.
  • The targeting manifest lists 250 browser extensions, including 201 crypto wallets and 49 password managers and 2FA authenticators.

MITRE Techniques

  • [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – Hologram checks BIOS strings, VM DLLs, MAC prefixes, usernames, hardware traits, and screen resolution to avoid analysis (‘VirtualBox BIOS strings, sandbox-associated DLLs, VM MAC prefixes… waits for actual mouse movement’).
  • [T1112 ] Modify Registry – svc_service.exe establishes persistence through registry autoruns and WinLogon modification (‘Run registry autorun’, ‘HKLM…WinlogonUserinit’).
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – The framework uses startup-folder and Run-key persistence (‘OneDriveSync.lnk in the system startup folder’, ‘HKCU…Run’).
  • [T1547.004 ] Boot or Logon Autostart Execution: Winlogon Helper DLL – The malware hijacks WinLogon Userinit to run before normal logon (‘WinLogon Userinit hijack… prepending before userinit.exe’).
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – Persistence is also set with an elevated logon-triggered task (‘schtasks /SC ONLOGON /RL HIGHEST’).
  • [T1546.015 ] Component Object Model Hijacking – The operator uses COM hijacking for foothold and staging (‘COM hijacking rounds out the foothold’).
  • [T1055 ] Process Injection – The framework injects code into processes using direct NT syscalls (‘NtGetContextThread, NtSetContextThread… for thread injection’).
  • [T1055.012 ] Process Hollowing – The report describes reflective in-memory execution and injected payload behavior consistent with hollowing-style tradecraft (‘reflectively executes an embedded secondary PE entirely in memory’).
  • [T1027 ] Obfuscated Files or Information – The dropper uses Base64, XOR, string fragmentation, and obfuscated TOML/PS1 content to hinder detection (‘Base64 + XOR’, ‘cmdlet names fragmented at runtime’).
  • [T1105 ] Ingress Tool Transfer – Payloads, passwords, and stage-2 binaries are downloaded from dead-drops and staging services (‘password-protected 7z payload downloads from C2’, ‘fetched from Azure DevOps’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – C2 and check-ins use HTTPS, Telegram, and webhook relays over web protocols (‘multipart/form-data POST over HTTPS/TLS 1.3’, ‘Hookdeck webhook relay’).
  • [T1090.001 ] Proxy: Internal Proxy – Hookdeck is used as a relay to hide the true backend and Telegram bot token (‘All Telegram communication… is routed through a Hookdeck webhook relay’).
  • [T1071.003 ] Application Layer Protocol: Mail Protocols? – No direct evidence in the article.
  • [T1104 ] Multi-Stage Channels – The campaign relies on dead drops and staged retrieval before C2 activation (‘Before any of the stage 2 modules run, the dropper already knows the C2 address’).

Indicators of Compromise

  • [Domains ] delivery, staging, and C2 infrastructure – openclaw-installer.com, hkdk.events, frr.rubensbruno.adv.br, hwd.hidayahnetwork.com, and 2 more domains
  • [IP addresses ] C2 and proxy endpoints – 45.55.35.48, 193.202.84.14, and 2 more IPs
  • [URLs ] dead-drops and staging endpoints – https://snippet.host/efguhk/raw, https://pastebin.com/raw/w6BVFFWQ, and other N URLs
  • [Files ] dropper and stage-2 binaries – OpenClaw_x64.exe, svc_service.exe, and other 5 binaries
  • [Hashes ] malicious binaries and loaders – 4014048f8e60d39f724d5b1ae34210ffeac151e1f2d4813dbb51c719d4ad7c3a, f03736fadffcb7bef122d25d6ace8044378d4fa455f7f48081a3b32c80eb4ed2, and other N hashes
  • [Mutexes ] runtime synchronization strings – GlobalStealthPackerMutex_9A8B7C, Global{CoreTask1461}_onedrive_sync.exe
  • [Registry keys ] persistence locations – HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit, HKCUSoftwareMicrosoftWindowsCurrentVersionRun{NetworkManager}
  • [Paths ] dropped files and startup persistence – C:ProgramDataMicrosoftWindowsStart MenuProgramsStartupOneDriveSync.lnk, %APPDATA%RoamingDataConfigmanager.exe

Read more: https://www.netskope.com/blog/openclaw-hologram-fake-installer-ships-rust-infostealer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint