Insights, news, education and announcements from PolySwarm

The ClawHavoc Campaign

Written by The Hivemind | Feb 27, 2026 6:48:52 PM

Verticals Targeted: Cryptocurrency, Corporations, Social Media, Finance, Developers
Regions Targeted: Not Specified
Related Families: Trojan/OpenClaw.PolySkill, Atomic Stealer (AMOS)

Executive Summary

Threat actors conducted a widespread supply chain poisoning operation, named ClawHavoc, by uploading hundreds of malicious Skills to the ClawHub marketplace for the OpenClaw AI agent framework, employing social engineering to induce users to execute payloads that install information stealers and backdoors. The campaign leverages over 900 malicious skills to target high-value users across cryptocurrency, productivity, and social media categories to steal credentials, wallet data, and bot configurations.

Key Takeaways

  • Initial discovery revealed 341 malicious Skills on ClawHub, growing to 824 as the marketplace expanded, to over 10,700 Skills by mid-February 2026.
  • Malicious Skills are disguised as legitimate tools in categories like crypto trackers, YouTube summarizers, auto-updaters, and Google Workspace integrations, using professional-looking SKILL.md documentation with "Prerequisites" sections to deceive users into downloading password-protected ZIPs on Windows or running base64-obfuscated terminal commands on macOS.
  • Payloads include Atomic macOS Stealer (AMOS), along with reverse shells and direct exfiltration of ~/.clawdbot/.env files containing AI service tokens.
  • Attackers employed typosquatting, targeted high-value sectors like Solana and Polymarket tools, and hid malicious code in operational scripts for evasion.

The Campaign

The ClawHavoc campaign exploited the permissive nature of ClawHub, the official marketplace for OpenClaw Skills, which are plugin packages that extend the open-source AI agent's capabilities across automation, cryptocurrency monitoring, social media assistance, and productivity tasks. OpenClaw, formerly ClawdBot and Moltbot, grants Skills broad system access, including shell execution, file operations, and API integrations, making poisoned extensions particularly dangerous.

Security researchers at Koi identified the initial wave of malicious activity on February 1, 2026, auditing 2,857 Skills and finding 341 malicious ones, predominantly from a coordinated effort. Subsequent scans as ClawHub grew showed the campaign's expansion, with malicious Skills infiltrating nearly every category and introducing approximately 25 new attack variants, such as browser automation, coding agents, LinkedIn and WhatsApp tools, PDF utilities, and ironic fake security scanners. Key uploader accounts drove mass deployment, with tactics remaining consistent.

Koi initially noted the following types of plugins known be used maliciously:

  • Crypto Tools (111 skills)
  • ClawHub Typosquats (29 skills)
  • ‍Polymarket Bots (34 skills)
  • YouTube Utilities (57 skills)
  • Auto-Updaters (28 skills)
  • Finance and Social Tools (51 skills)
  • Google Workspace (17 skills)
  • Ethereum Gas Tracker (15 skills)
  • Lost Bitcoin (3 skills)

Koi also singled out six skills that used unique techniques worth documenting separately:

  • better-polymarket
  • polymarket-all-in-one
  • base-agent
  • bybit-agent
  • polymarket-traiding-bot
  • rankaj

According to a Reddit post, the most downloaded skill on OpenClaw that was affected by the malware was What Would Elon Do.

Malicious Skills package configurations, JSON metadata, SKILL.md files, and scripts to lure execution. Documentation fabricates requirements like installing "openclaw-agent" or "helper utilities," directing Windows users to GitHub-hosted password-protected ZIP archives to bypass scans, or macOS users to paste obfuscated commands fetching from services like glot[.]io or rentry[.]co. These decode to curl downloads from attacker infrastructure, dropping second-stage payloads.

Analysis confirmed Atomic Stealer (AMOS) as a primary macOS payload. It uses runtime string decryption, fake password prompts for privilege escalation, recursive directory copying, and exfiltration of compressed archives to C2 servers. It targets extensive data, including browser profiles, keychains, 60+ crypto wallets, Telegram, SSH keys, history files, and documents. Other variants include Python scripts embedding os.system calls for reverse shells hidden in functional code, and JavaScript exfiltrating .env files to webhooks.

Outliers demonstrated sophistication. Some embed backdoors in legitimate-appearing operations, such as Polymarket search functions, while others focus on straightforward theft. The campaign leverages developer trust in ecosystems, documentation, and GitHub, exploiting AI users' willingness to follow complex setup instructions.

Additional ClawHavoc-related activity was reported by Help Net Security earlier this week, in which attackers posted deceptive comments under popular ClawHub Skills, such as those for Trello, Slack, and Gog, posing as legitimate troubleshooting suggestions. These comments direct users to malicious downloads or commands from infrastructure tied to the original campaign, including IP 91.92.242[.]30, which fetches obfuscated scripts that remove macOS quarantine attributes and execute Atomic Stealer. This tactical shift to comment-based social engineering evades ClawHub's attempts at mitigating the original campaign, highlighting persistent risks in the platform's community features and the ongoing adaptation of supply chain poisoning efforts targeting OpenClaw users.

The threat actors behind the ClawHavoc campaign are potentially of Chinese origin, and an author with ID hightower6eu uploaded the most malicious packages. Other authors known to upload the malicious packages include sakaen736jih, moonshine-100rze, zaycv, aslaep123, jordanprater, noreplyboter, rjnpage, gpaitai, lvy19811120-gif, danman60, and noypearl. It is possible some of these accounts were not originally threat actor controlled and were hijacked. One common thread is that many of the plugins connect to the same IP 91.92.242[.]30 This IP has been associated previously with Poseidon (a Portuguese speaking cybercrime group) activity in the past.

This incident and attempts at follow-on attacks highlight vulnerabilities in emerging agentic AI marketplaces, including open publishing with minimal vetting, high-privilege execution models, and rapid ecosystem growth outpacing security controls. Users should review installed Skills, revoke exposed credentials, avoid unverified integrations, and employ endpoint detection for malicious packages.

IOCs

PolySwarm has multiple samples associated with this activity.

 

SKILL.md

e06f1a80e17e738521597530a87919ba29ae92affb781821db216161eff60fb3

 

Atomic Stealer

23adae592b1dab3823d212ebad6830aee1a6e17e8fbffac1bf13514ed53a4148

1e6d4b0538558429422b71d1f4d724c8ce31be92d299df33a8339e32316e2298

0e52566ccff4830e30ef45d2ad804eefba4ffe42062919398bf1334aab74dd65

 

Other files associated with the ClawHavoc campaign

053f09ea69d13cdabb9501ce82e418329beb8e75a02d25e5a2f79de12d56ffa2

95fb8f28d08e19090443bda8bd71bbb79f7c451288a2de6f1ca0ad6fee8b4569

d781d5cabaf5f305bbb8afcd9a54d7ba616bfa7aef5c4d16f6bce3d2bf3b4073

9168298d34d75424a0e51f04258e80e1322bf0fe1f24729ca6c0c032c1298914

a63f2109703a38963e9dcbabca1d25c730603b3d6b70e8a4d41bdf2c612f20d0

ec2920e56f2f62c6a2ed1242747980f6f7343c2404b7ae9a6e975b66b1c24b6d

e3b5a5dbbccab4cf36c7abf5cb5ae83062dd1b5dee7db04bddbf53fc9ebdb233

8187af54384bd5939c8d0ebe745168f03c90c357d02cea855af139418cf2e673

f0a54f2b44e557854b0a5001c4e10185884af945814786f78b86539014f78a16

998c38b430097479b015a68d9435dc5b98684119739572a4dff11e085881187e

30f97ae88f8861eeadeb54854d47078724e52e2ef36dd847180663b7f5763168

f2cb9de40cb8b7e13e7d2b0b3e426f8503781a35d8bba3715395430e9b5eeb38

ab267488d2c0a6300b61b5c9046cb86fe4a9ac3fe9a615acd374465b3a4b26c2

23adae592b1dab3823d212ebad6830aee1a6e17e8fbffac1bf13514ed53a4148

af824b9e2c1836b1b433f4d383e168bd3ce64e8c41018073a9f4d9a710aa075f

768a133c4189f63fb37a4718eaa395209d0e61aaa7af1cb9f233224f285baf42

7666f7ca1d82db135527e91e3f94b4361a2e85dee609dec839c38925e0c18acc

358881709e7c9cb4097c9a7ea99d8cfa82d7b076a4305884a9825774d8e45765

30f97ae88f8861eeadeb54854d47078724e52e2ef36dd847180663b7f5763168

0ae5ce9b8d4e6cbdaeaccb4e844c0a88a74dbb778383e282e75b9067ec3146e2

17703b3d5e8e1fe69d6a6c78a240d8c84b32465fe62bed5610fb29335fe42283

0e52566ccff4830e30ef45d2ad804eefba4ffe42062919398bf1334aab74dd65

5cae50d8df26cbaedab1b12fa624dc24ebbe382db7823530ae60781adffebc45

cd3b481528542c8bac595a6c2c26fe4fd78b1495e4edcc3bd4512d7e7455ec7a

 

Click here to view all associated samples in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post