VTA-004558 – Malicious Bot Skills Signal a Shift in Crypto-Focused Attacks

ClawHavoc represents a sophisticated supply chain attack targeting the ClawHub marketplace for OpenClaw AI bots, where attackers uploaded 341 malicious “skills” nearly 12% of the platform’s 2,857 total packages. These skills masquerade as useful tools for crypto trading, YouTube summarization, Polymarket betting and more, tricking users into installing them to enhance their bots’ capabilities. What starts as a seemingly legitimate download quickly escalates, prerequisites direct victims to password-protected ZIPs or obfuscated scripts that bypass antivirus detection and deploy infostealers like Atomic macOS Stealer (AMOS) or Windows trojans.

The attack’s ingenuity lies in its exploitation of AI bot ecosystems, a fresh frontier beyond traditional targets like npm or PyPI. Attackers used typosquatting (e.g., “clawhub1” instead of “clawhub”) and themed lures 111 crypto-focused skills alone, including Solana wallet trackers and Phantom utilities to hit high-value users. Once executed, payloads like AMOS (a 521KB universal Mach-O binary) employ string encryption, ad-hoc code signing and functions to pilfer browser data, 60+ crypto wallets, Keychain passwords, SSH keys and bot config files such as ~/.clawdbot/.env. Obfuscated chains, like base64-encoded curl commands fetching from IPs such as 91.92.242.30, ensure stealthy delivery.

Unlike blunt malware drops, ClawHavoc blends social engineering with MaaS tools, hiding backdoors in functional code (e.g., reverse shells triggered during Polymarket searches) to evade reviews. This campaign, uncovered by an OpenClaw bot named Alex auditing its own marketplace, underscores AI assistants’ unique risks, compromised bots access personal emails, finances and decisions shared in natural language.

Severity:
High

Attack Surface:
Cloud Service, Infrastructure, Supply Chain (Third-party vendors), System Management Service, Web Application

Tactics:
Collection, Command and Control, Credential Access, Defense Evasion, Exfiltration, Impact, Initial Access, Persistence, Resource Development

Techniques:
T1195.002 – Compromise Software Supply Chain: Software Dependencies
T1059.001 – Command and Scripting Interpreter: PowerShell/JavaScript for macOS equiv
T1555.003 – Credentials from Password Stores: Keychain
T1564.001 – Hide Artifacts: Hidden Files for obfuscated chains
T1078 – Valid Accounts
T1071.001 – Application Layer Protocol: Web Protocols
T1102 – Web Service
T1567.002 – Exfiltration Over Web Services
T1020 – Automated Exfiltration
T1036 – Masquerading
T1027 – Obfuscated Files or Information
T1098 – Account Manipulation
T1583 – Acquire Infrastructure
T1565 – Impair Integrity
T1657 – Financial Theft

Indicator of Compromise:
https://otx.alienvault.com/pulse/698551261524fd9dc5504d97

References:
1. https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting#heading-9
2. https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto

SuperPRO’s Threat Countermeasures Procedures:
1. Audit and restrict API token scopes for automation platforms (read-only where possible, especially for wallet and exchange integrations)
2. Disable or remove unused bot skills and third-party automation plugins from cloud environments
3. Enforce transaction confirmation policies on crypto wallets and exchanges (manual approval for withdrawals above defined thresholds)
4. Monitor automation logs for anomalous task execution, such as off-schedule crypto transfer triggers or unexpected wallet API calls
5. Implement behavior-based detection for automation workflows rather than signature-based malware detection
6. Rotate all wallet credentials, API keys and OAuth tokens if exposed to automation platforms discovered to host unverified skills

Contributed by: Thivya