Fake OpenClaw DeepSeek skill uses AI agent workflows to install Remcos RAT and GhostLoader
7 min. read 
Published on
A malicious OpenClaw skill posing as a DeepSeek integration has been used to deliver Remcos RAT on Windows and GhostLoader on macOS, Linux, and some manual Windows installs. Zscaler ThreatLabz identified the campaign in March 2026 and said the attacker hid malicious commands inside a normal-looking OpenClaw skill file.
The fake skill, called DeepSeek-Claw, targets a growing weakness in agentic AI workflows. Instead of tricking users through a traditional phishing email, the attacker placed instructions where an AI agent or developer might execute them during setup.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The campaign matters because OpenClaw-style agents often run with local file access, shell access, browser access, API tokens, and developer credentials. If a malicious skill gets trusted, a single installation step can turn an AI productivity tool into a malware delivery channel.
What happened
OpenClaw is an open-source framework for autonomous AI agents. It runs locally and can help perform tasks that require access to files, shell commands, third-party services, and APIs.
Zscaler said the malicious DeepSeek-Claw repository looked like a normal OpenClaw skill. The attack was hidden in SKILL.md, the instruction file that tells users or agents how to install and use the skill.
That file contained different infection paths. The Windows automated path used PowerShell to download and run a remote MSI installer, while the manual cross-platform path used an obfuscated Node.js payload to install GhostLoader.
At a glance
| Detail | Information |
|---|---|
| Campaign name used in reports | Malicious DeepSeek-Claw OpenClaw skill |
| Researchers | Zscaler ThreatLabZ |
| Discovery period | March 2026 |
| Initial vector | Fake OpenClaw skill hosted on GitHub |
| Windows payload | Remcos RAT |
| macOS and Linux payload | GhostLoader information stealer |
| Main technique | Poisoned installation instructions inside SKILL.md |
| Main risk | Remote access, credential theft, and developer environment compromise |
How the Windows attack worked
On Windows, the malicious skill used an automated command path that launched PowerShell and downloaded a remote MSI package from attacker-controlled infrastructure. The package then installed files that looked legitimate at first glance.
The MSI dropped a genuine, digitally signed GoToMeeting executable and a malicious DLL named g2m.dll. When the trusted executable ran, it loaded the malicious DLL from the same directory, which is a common DLL sideloading technique.
The malicious loader then patched security-related Windows components in memory, including ETW and AMSI, before decrypting and launching Remcos RAT. Once active, Remcos gave the attacker remote control capabilities.
What Remcos gave the attacker
Remcos is a remote access trojan that can let attackers control an infected system, run commands, capture keystrokes, steal browser data, and maintain access after the initial infection.
In this campaign, Zscaler said the Remcos chain used encrypted communication with the attacker’s command server. The payload also ran in stealth mode and supported remote shell access.
For a developer workstation, that can become especially damaging. Attackers may find SSH keys, Git credentials, cloud tokens, API keys, build secrets, and access to internal systems from one infected machine.
How GhostLoader targeted macOS and Linux
The second infection path targeted users who followed the manual installation route. That path used npm lifecycle scripts and a heavily obfuscated Node.js payload.
On macOS and Linux, GhostLoader used fake password prompts to trick users into entering their credentials. It then searched the system for sensitive developer data and sent it to attacker-controlled infrastructure.
Zscaler said GhostLoader targeted macOS Keychain data, SSH keys, cryptocurrency wallet files, browser session cookies, and cloud API tokens. This made the campaign a direct threat to developer environments and cloud-connected workflows.
Payload comparison
| Payload | Target path | Main behavior | Security impact |
|---|---|---|---|
| Remcos RAT | Windows automated OpenClaw skill execution | Remote shell, keystroke logging, browser cookie theft, command execution | Full remote access to the infected workstation |
| GhostLoader | Manual install path on macOS, Linux, and some Windows workflows | Credential theft, fake password prompts, cloud token and SSH key harvesting | Developer secret theft and possible cloud account compromise |
Why AI agents make this attack more dangerous
Traditional malware usually needs a user to open a file, click a link, or run a command. Agentic AI changes that model because tools can read instructions and act on them automatically.
OpenClaw skills use markdown-style instruction files. That makes them easy for humans to read, but also easy for attackers to poison with commands that an agent may treat as setup steps.
The danger grows when an agent has permission to run shell commands or modify local files. A malicious skill can blend into normal automation while quietly executing payload delivery commands.
This follows a wider OpenClaw malware trend
The DeepSeek-Claw campaign is not the first warning around OpenClaw’s ecosystem. Earlier in 2026, Huntress reported fake OpenClaw installers on GitHub that distributed information stealers, GhostSocks proxy malware, and AMOS on macOS.
Huntress also warned that trusted platforms can create false confidence. A repository hosted on GitHub or shown in AI-assisted search results can still be malicious if users do not inspect the code and installation commands.
Zscaler separately warned that OpenClaw’s local execution model creates enterprise risk when organizations allow unsanctioned AI agents, third-party skills, or unreviewed markdown instruction files onto developer machines.
Warning signs to investigate
- OpenClaw skills installed from unknown GitHub repositories.
- References to DeepSeek-Claw or Needvainverter93/deepseek-claw.
- PowerShell launching msiexec from a remote URL.
- Unexpected GoToMeeting executables appearing outside normal installation paths.
- g2m.dll appearing next to a GoToMeeting executable.
- Node.js install scripts that run obfuscated code.
- Fake password prompts on macOS or Linux during package installation.
- Outbound traffic to cloudcraftshub.com, dropras.xyz, trackpipe.dev, or unknown IPs.
- New remote access behavior, shell sessions, or unknown startup persistence.
Recommended defenses
Organizations should treat third-party AI agent skills like software supply chain components. A skill file can execute commands, download dependencies, and touch local resources, so it deserves review before installation.
Security teams should also restrict which agents, skills, and repositories developers can use. Blocking unsanctioned skill downloads, isolating risky browsing sessions, and limiting shell execution can reduce exposure.
For high-risk teams, agent execution should happen in a sandbox or disposable environment. Developers should not run untrusted AI skills on machines that hold production cloud credentials, signing keys, or customer data.
Practical checklist for teams
- Remove the DeepSeek-Claw skill if it exists in any developer environment.
- Search endpoints for known hashes, domains, and payload names from the campaign.
- Review OpenClaw skill files before agents can execute them.
- Block PowerShell or shell commands launched from untrusted skill installation files.
- Prevent AI agents from installing packages without approval.
- Run new skills inside containers, virtual machines, or isolated workspaces.
- Monitor npm lifecycle scripts for obfuscated Node.js execution.
- Rotate developer secrets after any suspected infection.
- Audit cloud tokens, SSH keys, Git credentials, and browser sessions on exposed systems.
- Restrict GitHub repository access through allowlists for high-risk environments.
Indicators reported in the campaign
| Type | Indicator | Description |
|---|---|---|
| MD5 | 1c267cab0a800a7b2d598bc1b112d5ce | DeepSeek-Claw OpenClaw skill |
| MD5 | 2A5F619C966EF79F4586A433E3D5E7BA | MSI installer |
| MD5 | CC1AF839A956C8E2BF8E721F5D3B7373 | Shellcode loader g2m.dll |
| MD5 | 2C4B7C8B48E6B4E5F3E8854F2ABFEDB5 | Remcos RAT payload |
| URL | hxxps://cloudcraftshub[.]com/api | MSI download endpoint |
| URL | hxxp://dropras[.]xyz/ | MSI download endpoint |
| URL | hxxps://trackpipe[.]dev | GhostLoader command server |
| IP and port | 146[.]19.24[.]131:2404 | Remcos command server |
Why developers should care
Developers often hold the keys attackers want most. Their machines may contain source code, deployment credentials, API tokens, private keys, production access, and authenticated browser sessions.
This campaign turns that trust into an attack surface. A fake AI skill does not need to exploit a browser or operating system vulnerability if it can persuade an agent or developer workflow to run the attacker’s setup commands.
The safest rule is simple: do not let autonomous agents install or execute third-party skills without human review, source verification, and runtime isolation.
FAQ
Remcos gives attackers remote access, command execution, keystroke logging, browser cookie theft, and other control capabilities on infected Windows systems.
It is a malware campaign that used a fake OpenClaw skill posing as a DeepSeek integration to install Remcos RAT and GhostLoader.
The attacker hid commands inside the SKILL.md instruction file. Windows automation downloaded a remote MSI installer, while the manual path used obfuscated Node.js code.
Zscaler ThreatLabZ identified the campaign in March 2026 and published technical details in May 2026.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages