Fake OpenClaw Installer Steals Your Passwords: How to Check If You're Affected

A fake OpenClaw download site has been distributing the Hologram infostealer since February 2026. It targets over 250 browser extensions, including every major password manager and crypto wallet. If you downloaded OpenClaw from anywhere other than the official site, your credentials may already be gone.

How the attack works

Netskope Threat Labs discovered a convincing fake download site at openclaw-installer[.]com, registered on March 9, 2026 on Chinese infrastructure and fronted by Cloudflare. The site links to a typosquatted GitHub organization (openclaw-install/openclaw-installer) instead of the legitimate openclaw/openclaw repository. An earlier wave documented by Huntress used different malicious GitHub repositories between February 2 and 10, 2026, and at one point the fake repository became the top result in Bing's AI search results for "OpenClaw Windows."

The download delivers a file called OpenClaw_x64[.]7z containing a 130MB Rust-based executable padded with fake documentation. The oversized file is deliberate: it clears antivirus file-size thresholds and breaks automated sandbox upload limits. The malware's own PE manifest makes no attempt to hide its identity, openly naming itself "Hologram" with the description "Decoy entity generator for tactical misdirection."

Before executing any malicious code, the dropper runs layered anti-analysis checks: BIOS strings for virtual machines, sandbox detection libraries, MAC address prefixes, blocked usernames, and hardware profiling (GPU, CPU cores, RAM, disk size, screen resolution). If those checks pass, it enforces a "mouse gate," waiting for real mouse movement before continuing. Automated security sandboxes don't generate mouse movement, so the malware sits dormant and never gets flagged during analysis.

Once activated, the dropper downloads a six-part modular framework called the Stealth Packer. One module fingerprints the system to decide whether the victim warrants the full implant. Another beacons to a hijacked Brazilian law firm's subdomain over HTTPS. Others establish Telegram-based persistence and use Azure DevOps and Hookdeck (a webhook relay service) for command and control. The sophistication is well beyond typical infostealer campaigns.

What Hologram steals

The credential theft scope is extensive. Hologram targets over 250 browser extensions across these categories:

The GhostSocks module (identified by Huntress in the earlier February wave) adds an additional layer: it routes traffic through your machine, allowing attackers to use your IP address to bypass anti-fraud detection on financial services. Your machine becomes a proxy for the attacker's own activities.

How to check if you're affected

Step 1: Verify your download source

Check your browser history and downloads folder. The only legitimate OpenClaw download sources are:

• openclaw.ai (official website)
• github.com/openclaw/openclaw (official repository)

If you see openclaw-installer.com, openclaw-install (GitHub org), or any other domain in your download history, your system is likely compromised.

Step 2: Check for the malicious executable

Search your system for these filenames:

# Windows
dir /s /b C:\Users\%USERNAME%\Downloads\OpenClaw_x64*
dir /s /b C:\Users\%USERNAME%\Downloads\svc_service.exe

# macOS / Linux
find ~/Downloads -name "OpenClaw_x64*" -o -name "svc_service"

The legitimate OpenClaw installer is a standard Node.js package installed via npm or the shell script at openclaw.ai/install.sh. It is not a 130MB archive. If you have a file matching OpenClaw_x64.7z or OpenClaw_x64.exe, that's the malicious version.

Step 3: Run a malware scan

Run a full system scan with Malwarebytes (free) or your installed antivirus. The Hologram dropper has low detection rates on initial release, but signatures have been updated since Netskope's disclosure. Also check for svc_service.exe running in your process list, which is the Stealth Packer's persistence mechanism.

Step 4: Rotate every credential the malware could reach

If you ran the fake installer, assume everything is compromised. Rotate credentials in this order:

• Password manager master password: Change it from a clean device (not the compromised machine). Use our password generator to create a new one: 20+ characters, fully random
• Email account passwords: Your email resets every other password. Secure it first
• Banking and financial accounts: Change passwords, enable 2FA if not already active, and monitor for unauthorized transactions
• Crypto wallets: Transfer all assets to a new wallet created on a clean device. Do not use the compromised machine for any wallet operations
• SSH keys: Generate new key pairs on a clean machine and update them everywhere (GitHub, servers, cloud providers)
• Browser-saved passwords: Every password your browser had stored is compromised. Rotate all of them through your password manager

Run your new passwords through our password strength checker to confirm they meet the 16-character minimum recommended for 2026.

If you already uninstalled OpenClaw, you're not safe yet

Uninstalling OpenClaw (real or fake) does not remove the Hologram implant. The Stealth Packer framework installs persistence mechanisms independent of the OpenClaw application. GhostSocks continues routing traffic through your machine even after OpenClaw is gone.

If you're planning to uninstall OpenClaw, follow our complete removal guide to clean up the application files, but understand that a separate malware removal process is needed if you ran the fake installer. A full system scan, credential rotation, and potentially a clean OS reinstall are the only reliable remediation.

This is the fourth major OpenClaw security event in 2026

The fake installer campaign joins a growing list of OpenClaw security incidents this year:

• January 2026: CVE-2026-25253 allowed one-click remote code execution through Cross-Site WebSocket Hijacking, giving attackers full control of any OpenClaw instance through a crafted webpage
• February 2026: The first Hologram wave (documented by Huntress) used malicious GitHub repositories that appeared as top results in Bing's AI search
• March 2026: A security audit of ClawHub found 341 malicious skills, with the number-one community skill containing active data exfiltration code
• May 2026: The second Hologram wave (Netskope) uses a dedicated fake website, a six-part Stealth Packer framework, and targets 250+ browser extensions

If you're running OpenClaw on a dedicated Mac Mini with the hardening steps from our guide (dedicated user account, loopback-only gateway, token authentication), you're protected against the ClawHub and CVE attacks. But the fake installer campaign targets the download process itself, before any hardening can take effect.

For anyone evaluating whether OpenClaw is worth the security overhead, our OpenClaw alternatives comparison covers NemoClaw, Claude Code, n8n, and other AI agents with different security architectures. NemoClaw adds kernel-level sandboxing that would contain infostealer activity even if a fake installer made it onto the system.

Technical indicators (IOCs)

For incident response teams:

• Fake domain: openclaw-installer[.]com (registered March 9, 2026, Chinese infrastructure, Cloudflare-fronted)
• Typosquatted GitHub org: openclaw-install/openclaw-installer
• Malicious archive: OpenClaw_x64[.]7z (130MB, contains padded Rust executable)
• Dropper PE manifest: Name "Hologram", version v1.7.16, description "Decoy entity generator for tactical misdirection"
• Persistence binary: svc_service.exe
• C2 infrastructure: hkdk.events (Hookdeck), frr.rubensbruno.adv[.]br (hijacked law firm subdomain), Telegram-based C2, Azure DevOps endpoints
• Campaign name: Hologram / Stealth Packer (Netskope designation)
• Related campaign: GhostSocks (Huntress, February 2026 wave)

Sources: Netskope Threat Labs, Huntress, CyberSecurityNews.