An ongoing campaign has surfaced, leveraging AI platforms Hugging Face and ClawHub to distribute malware. This operation involves the deployment of trojans, cryptominers, and infostealers under the guise of legitimate AI tools and extensions.
The attack represents a significant development in supply chain threats, transitioning from traditional software repositories to trusted AI environments. According to Acronis TRU, 575 malicious skills were identified within the OpenClaw ecosystem on ClawHub, spread across 13 developer accounts.
Key Threat Actors and Techniques
The campaign is largely orchestrated by two main threat actors: “hightower6eu,” accountable for 334 malicious skills (58%), and “sakaen736jih,” who managed 199 skills (34.6%). The remaining accounts contributed a smaller number of malicious activities. These skills appear as beneficial tools, such as a YouTube transcript summarizer, but covertly prompt users to download password-protected files or execute encoded commands.
For Windows targets, trojans packed with VMProtect were detected. MacOS targets experienced a base64-encoded command that linked to an external IP (91.92.242[.]30) to download and execute the AMOS Stealer, a macOS-specific infostealer available as malware-as-a-service through various channels.
Advanced Malware Deployment
A second Windows payload utilized a 30-byte XOR key for runtime string decryption, dynamically resolving NT APIs, and conducting in-memory process injection into explorer.exe. This injected code initiated AES-encrypted C2 communication over HTTPS to a malicious site and downloaded a cryptominer disguised as svchost.exe, ensuring persistence through scheduled tasks and alterations to Windows Defender exclusion paths.
The ClawHub campaign prominently features indirect prompt injection, embedding hidden instructions within skill files that AI agents unknowingly execute, thereby broadening the attack’s reach beyond the initial target.
Impact on AI Platforms
Hugging Face, hosting over a million machine learning models, was found to be a platform for hosting multi-stage infection chains, affecting Windows, Linux, and Android systems. Notably, the ITHKRPAW campaign targeted Vietnamese financial organizations, using malicious files to invoke Cloudflare Workers for payload delivery, masked by a decoy image.
The FAKESECURITY campaign utilized a batch script to download an obfuscated secondary script from Hugging Face, bypassing security measures and injecting shellcode into explorer.exe, masquerading as Windows Security.
Future Outlook and Recommendations
Organizations and developers should treat AI models, datasets, and agent extensions as potentially untrusted inputs, requiring rigorous validation akin to any third-party code. Key steps include auditing OpenClaw skills for encoded commands, monitoring for unusual process injections into explorer.exe, blocking known malicious indicators, and enforcing restrictions on Windows Defender exclusion path changes via Group Policy.
As cybercriminals increasingly exploit supply chains, organizations must bolster their defenses to protect against these sophisticated entry points.
