AI System Malware Threat

A sophisticated malware campaign has emerged, targeting developers and systems powered by artificial intelligence. The malware disguises itself as a legitimate plugin within an open-source AI framework, posing a significant threat to users who unknowingly integrate it into their workflows.

Security experts have identified this threat as one that capitalizes on the mechanized nature of AI agents, using automation to compromise systems. The primary objectives of the malware, delivered as a fake “DeepSeek-Claw” skill for the OpenClaw framework, are to gain remote control of infected machines and extract sensitive data.

How the Malware Operates

Researchers at Zscaler ThreatLabZ discovered this campaign in March 2026. Their findings reveal that the threat actors published the deceptive skill on GitHub, anticipating that AI agents and developers would incorporate it into automated workflows without scrutiny. This method circumvents traditional phishing and social engineering techniques by embedding hidden commands within standard instruction files.

Once downloaded, the malware adapts its attack based on the operating system. Windows users following automated AI-driven processes are infected with Remcos RAT, a powerful remote access tool. Conversely, users on macOS, Linux, or Windows utilizing a manual path are targeted by GhostLoader, a cross-platform data stealer.

Impact on Systems and Organizations

The ramifications of this attack extend beyond individual systems. Remcos RAT provides attackers with full remote access, while GhostLoader collects cloud tokens, SSH keys, and browser session cookies, potentially compromising entire organizational infrastructures within moments of execution.

The OpenClaw framework, previously known as Clawdbot and Moltbot, is designed to enable AI agents to perform complex tasks on local systems. The malware exploits this modular “skill” design by concealing a PowerShell command within a SKILL.md file, which downloads and executes a remote Windows Installer package from a server controlled by the attackers.

Countermeasures and Recommendations

Upon execution, the installer introduces a genuine, signed GoToMeeting executable alongside a malicious DLL masquerading as its dependency. This technique, known as DLL sideloading, enables the malware to bypass security tools before launching Remcos RAT, providing the attackers with a covert interactive reverse shell.

For macOS and Linux, the attack involves an obfuscated Node.js file embedded in npm scripts, deploying GhostLoader. This malware displays fake password prompts to extract credentials and collects valuable data such as macOS Keychain information, SSH keys, and cloud API tokens, all forwarded to attacker-controlled servers.

As AI agents become integral to development processes, the risk of supply chain poisoning through such fake skills increases. Organizations must rigorously vet third-party plugins and implement strict monitoring of tools that interact with privileged resources.

Indicators of Compromise (IoCs) include various MD5 hashes and URLs related to the malware’s components, as identified by Zscaler.

Stay updated by following us on Google News, LinkedIn, and X. Set CSN as a preferred source for the latest cybersecurity news.