AI Agents as Attackers: “DeepSeek-Claw” Turns OpenClaw Automation into a Malware Minefield

Imagine an AI assistant that not only automates your coding tasks but also quietly installs malware, steals credentials, and hands attackers the keys to your kingdom-no phishing or zero-days required. That’s the chilling reality uncovered in the latest campaign targeting OpenClaw, a popular open-source framework for “agentic” AI automation, where a seemingly innocuous integration called “DeepSeek-Claw” transformed trusted workflows into a covert malware delivery system.

The attack surfaced in March 2026 when researchers at Zscaler ThreatLabz spotted a new “skill” in the OpenClaw ecosystem-a modular AI automation platform formerly known as Clawdbot and Moltbot. OpenClaw enables autonomous agents to run privileged commands, manipulate files, and streamline complex tasks. Its extensible “skill” architecture, while powerful, created a dangerous blind spot: any third-party skill can run with full agent permissions, forming an unguarded software supply chain.

Enter “DeepSeek-Claw.” Marketed as a productivity booster, this skill actually embedded a multi-pronged attack in its SKILL.md installation file. OpenClaw agents-designed to parse and execute documentation-could autonomously follow these instructions, or developers might do so manually. On Windows, a PowerShell one-liner silently fetched a remote MSI installer. This dropped a signed GoToMeeting executable alongside a booby-trapped DLL, which used “DLL sideloading” to launch Remcos RAT undetected. Before activating malicious payloads, the implant patched Windows defenses, disabled telemetry, and dodged sandbox analysis.

The alternative “manual” path, often triggered on Linux or macOS, delivered GhostLoader-a cross-platform credential stealer hidden in obfuscated Node.js scripts or disguised as sudo prompts. GhostLoader harvested SSH keys, browser cookies, cryptocurrency wallets, and cloud tokens, exfiltrating them to attacker-controlled servers. This attack didn’t exploit OpenClaw’s core binaries; it weaponized trust in documentation and automation, subverting both human and AI-driven workflows.

The implications are stark: in the era of agentic AI, documentation isn’t just a learning tool-it’s an active execution surface. Security teams must treat all third-party skills as untrusted code, enforce rigorous review, and monitor for behavioral red flags like DLL sideloading or suspicious npm scripts. Organizations deploying autonomous agents should segment privileges, restrict shell command execution, and require explicit human approval for potentially dangerous actions.

The “DeepSeek-Claw” incident is a warning shot for the future of AI-powered automation: when your AI agent is the one clicking “install,” the line between productivity and compromise vanishes. As attackers pivot to exploiting the very workflows meant to boost efficiency, vigilance and layered defenses are no longer optional-they’re the last line standing.

WIKICROOK

• Agentic AI: Agentic AI systems can independently make decisions and take actions, operating with limited human oversight and adapting to changing situations.
• DLL Sideloading: DLL sideloading is when attackers trick trusted programs into loading malicious helper files (DLLs) instead of the legitimate ones, enabling hidden attacks.
• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• Obfuscated Scripts: Obfuscated scripts are code intentionally made difficult to read, often to hide malicious actions or evade security detection in cybersecurity contexts.
• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.