Full Report
Cybersecurity researchers disclosed they have detected a case of an information stealer infection successfully exfiltrating a victim's OpenClaw (formerly Clawdbot and Moltbot) configuration environment. "This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI [
Analysis Summary
# Tool/Technique: OpenClaw Configuration Exfiltration (Vidar Variant)
## Overview
This technique involves the use of information-stealing malware to harvest the configuration files, identity frameworks, and authentication tokens of personal AI agents, specifically those using the **OpenClaw** (formerly Clawdbot/Moltbot) platform. This represents an evolution in infostealer behavior, moving beyond browser credentials to capturing the "soul" and operational identity of autonomous AI assistants.
## Technical Details
- **Type:** Malware (Infostealer)
- **Platform:** Windows (implied by directory structures and Vidar behavior)
- **Capabilities:** Credential theft, broad file-grabbing, session token hijacking, and AI configuration harvesting.
- **First Seen:** February 2026 (Reported); Vidar itself has been active since late 2018.
## MITRE ATT&CK Mapping
- **[TA0009 - Collection]**
- [T1560 - Archive Collected Data]
- [T1005 - Data from Local System]
- **[TA0006 - Credential Access]**
- [T1555 - Credentials from Web Browsers]
- [T1539 - Steal Web Session Cookie] (Applicable to Gateway tokens)
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
## Functionality
### Core Capabilities
- **Broad File-Grabbing Routine:** Unlike specialized modules that decrypt browser databases, this variant uses a generic routine to search for specific file extensions and directory names containing sensitive data.
- **Credential Harvesting:** Stealing standard browser passwords, Telegram sessions, and crypto wallets.
### Advanced Features
- **AI Identity Theft:** Targetted harvesting of the OpenClaw environment, specifically:
- **openclaw.json:** Contains Gateway tokens and workspace paths.
- **device.json:** Contains cryptographic keys for secure pairing and signing operations.
- **soul.md:** Captures the "SOUL" (Systemic Operational Underlying Logic) of the agent, including its behavioral guidelines and ethical boundaries.
- **C2 Communication:** Utilizing standard Vidar infrastructure to exfiltrate the compressed identity of the AI agent.
## Indicators of Compromise
- **File Names:**
- `openclaw.json`
- `device.json`
- `soul.md`
- **Network Indicators:** (General Vidar C2 behavior – defanged)
- `hxxps[://]t[.]me/` (Vidar often uses Telegram channel descriptions to store C2 IP addresses)
- `hxxp[://]vidar-infrastructure-example[.]com`
- **Behavioral Indicators:**
- Unauthorized access to `%APPDATA%` or workspace directories associated with OpenClaw.
- Unexpected outbound connections to known infostealer C2 endpoints.
## Associated Threat Actors
- **Vidar/StealC Affiliates:** The specific infection was attributed to a variant of the **Vidar** infostealer.
- **ClawHub Campaigners:** Actors specifically targeting the OpenClaw ecosystem via malicious "skills" and lookalike websites.
## Detection Methods
- **Signature-based:** Traditional AV signatures for Vidar and its common packing methods.
- **Behavioral:** Monitoring for processes scanning for `.json` and `.md` files in sensitive application data directories.
- **YARA Rules:**
- Rules targeting specific strings within the OpenClaw configuration (e.g., `"gateway_token"`, `"workspace_path"`, or `"SOUL"` templates).
## Mitigation Strategies
- **Token Rotation:** Immediately revoke and regenerate OpenClaw Gateway tokens if an infection is suspected.
- **Principle of Least Privilege:** Restrict the OpenClaw process permissions so it cannot access sensitive system areas, and vice versa.
- **Network Hardening:** Ensure local OpenClaw instances are not exposed to the public internet (closing vulnerable ports).
- **Skill Verification:** Only download and install OpenClaw "skills" from verified repositories and use the VirusTotal integration for scanning.
## Related Tools/Techniques
- **ClawHub Malicious Skills:** A technique where attackers host malware on lookalike websites rather than embedding payloads directly in skill files.
- **Moltbook:** An AI-centric forum associated with OpenClaw identity risks.
- **Redline/Raccoon Stealer:** Other infostealer families that may adopt similar "file-grabbing" rules for AI agent configurations.