Overview
- Hudson Rock reported a live infection on February 13 that exfiltrated a victim’s OpenClaw configuration, calling it a notable shift in infostealer behavior.
- The sample is likely a Vidar variant, according to Hudson Rock’s CTO, though the attribution remains reported rather than independently confirmed.
- Stolen files included openclaw.json with a high‑entropy gateway token, device.json with signing key pairs, and soul.md plus memory files that describe behavior and store activity data.
- Investigators said the malware used a broad file‑grabbing routine instead of a custom OpenClaw module, yet the captured data could allow remote connection or client impersonation if services are exposed.
- OpenClaw maintainers launched VirusTotal scanning, threat modeling, and audits as researchers flagged malicious skills hosted on lookalike sites to evade checks and SecurityScorecard counted hundreds of thousands of internet‑exposed instances at RCE risk.