22% of enterprises have employees running OpenClaw without IT approval.
Shadow AI incidents cost $670,000 more than standard breaches.
Your AI agent has a memory.
that memory was poisoned.
ClawHavoc campaign. OpenClaw ecosystem. 42,000 exposed instances.
The Scale
How large is the exposure
of enterprises have employees running OpenClaw without IT approval, creating an invisible attack surface that bypasses all existing security controls.
additional cost per breach when shadow AI is involved versus a standard breach. Unmonitored AI agents amplify both the attack surface and the blast radius.
Traditional supply chain attacks compromise software or dependencies. This campaign compromised the agent's identity itself. SOUL.md and MEMORY.md files define how an AI agent thinks and what it remembers. Once poisoned, the agent becomes an insider threat with system-level privileges, operating inside trusted workflows without any change to the code you can see.
The Mechanics
How the attack unfolded
One-Click RCE via WebSocket Token Exfiltration
A single malicious link triggers authentication token disclosure. The attacker authenticates to the local OpenClaw gateway and executes arbitrary commands. This works even when services are bound to localhost, which means network isolation provides no defense. One click by any user in the organization is all it takes.
Initial Access
How attackers got in
- Published malicious skills to ClawHub marketplace
- Embedded curl|bash payloads in installation docs
- Sent targeted phishing emails to OpenClaw users
- Abused ClawHub's minimal skill vetting process
- A normal-looking ClawHub skill with good reviews
- Standard prerequisites in the install instructions
- A curl command that appeared legitimate
- No antivirus or EDR alert on install
- T1566 Phishing
- T1195 Supply Chain Compromise
Execution and Loading
Payload delivery and memory poisoning
- Executed Atomic macOS Stealer via curl pipe
- Injected instructions into SOUL.md
- Poisoned MEMORY.md with false session context
- Triggered reflective code loading
- Skill appeared to install normally
- OpenClaw agent continued working as expected
- No crash, no error, no visible change
- SOUL.md and MEMORY.md silently modified
- T1059 Command and Scripting Interpreter
- T1620 Reflective Code Loading
Lateral Movement and Persistence
Spreading through the environment
- Used compromised SSH keys for lateral access
- Established C2 proxying through trusted agent sessions
- Created persistence via service modification
- Dropped additional malicious packages silently
- Normal-looking SSH activity from known host
- Agent behaving slightly differently but functional
- New system services that looked like agent updates
- T1543 Create/Modify System Process
- T1136 Create Account
- T1090 Proxy
Credential Access and Exfiltration
Data harvesting and delivery to C2
- Harvested SOUL.md and MEMORY.md intelligence
- Extracted aws_credentials and id_rsa keys
- Scraped browser-stored passwords and wallet files
- Transmitted compressed archives to 91.92.242.30
- Encrypted outbound traffic that looked normal
- Port 8000 connections from agent process
- Minimal performance impact during exfil
- T1003 Credential Dumping
- T1573 Encrypted Channel
- T1105 Ingress Tool Transfer
Click any technique to see what it means and how to detect it.
Adversaries send messages containing malicious attachments or links. In ClawHavoc, emails delivered links to malicious ClawHub skills or embedded curl commands in skill installation documentation.
Detection FocusHunt for: Emails containing ClawHub skill installation links Alert on: curl | bash patterns in shell history Monitor: Unexpected OpenClaw skill installs from external sources
Adversaries manipulate products or delivery mechanisms before the target receives them. ClawHavoc used ClawHub's marketplace as the distribution vehicle, inserting 1,184 malicious packages into a trusted channel.
Detection FocusAudit: ClawHub skill install log against approved package list Monitor: New skill installs outside of change control window Alert: Skills installed by non-admin users
Adversaries abuse command-line interfaces to execute malicious commands. ClawHavoc delivered payloads via curl commands piped into bash, bypassing file-based AV detection by running payloads directly in memory.
Detection FocusAlert: curl * | bash or curl * | sh patterns Hunt: Bash invocations spawned by OpenClaw processes Monitor: /tmp directory for executable files created at runtime
Adversaries execute payloads directly into memory without writing to disk, evading file-based detection. ClawHavoc payloads were loaded into process memory via the scripting interpreter chain.
Detection FocusMonitor: Memory-only execution in OpenClaw agent processes Alert: Processes with no on-disk binary counterpart Hunt: Unusual memory regions with execute permissions
Adversaries create or modify system-level processes to repeatedly execute malicious payloads. ClawHavoc used this for persistence by creating launch agents on macOS that survived reboots.
Detection FocusMonitor: ~/Library/LaunchAgents/ for new .plist files Alert: systemd unit file creation outside of package manager Hunt: Services referencing OpenClaw directories
Adversaries create accounts to maintain access. In some ClawHavoc variants, new system or service accounts were created to provide a persistent backdoor independent of the OpenClaw agent session.
Detection FocusAlert: New user account creation outside of IT provisioning workflow Hunt: Accounts with no MFA enrollment created during attack window Monitor: sudo access granted to non-standard accounts
Adversaries attempt to dump credentials to obtain account login and credential material. ClawHavoc targeted browser-stored passwords, AWS credentials, SSH private keys, and cryptocurrency wallet files.
Detection FocusAlert: File reads on ~/.aws/credentials or ~/.ssh/id_rsa Monitor: Browser password store access by non-browser processes Hunt: Processes reading keychain databases or wallet files
Adversaries encrypt communications to blend in with normal traffic. ClawHavoc used encrypted channels for C2 communication to 91.92.242.30, making payload content invisible to standard network inspection.
Detection FocusAlert: Outbound TLS connections to 91.92.242.30 Monitor: Port 8000 activity from OpenClaw agent processes Hunt: Encrypted uploads with high byte-to-request ratio
Adversaries use proxies to route traffic through intermediary systems. ClawHavoc used compromised OpenClaw agents as SSH proxies, routing C2 traffic through trusted internal hosts to blend with normal traffic.
Detection FocusMonitor: SSH tunneling or port-forwarding from agent hosts Alert: Unexpected outbound connections proxied through internal systems Hunt: -D or -L flags in SSH process arguments
Adversaries transfer tools or other files from an external system into a compromised environment. ClawHavoc used this to pull additional malware stages from C2 after initial access, enabling multi-stage payload delivery.
Detection FocusAlert: curl/wget downloads from non-approved domains by agent process Monitor: New executables created in /tmp or agent working directories Hunt: File transfers from 91.92.242.30 or associated infrastructure
Your Move
Respond and harden
Check off each indicator as you investigate. Track your hunt progress across all four categories.
Click each category to expand the detection playbook and query logic.
Tactical Sigma Rules
Log-based detection across system interactions, payload delivery, and data theft
- Log all system interactions with OpenClaw processes using process creation events
- Detect external payload download attempts with curl/wget targeting non-approved domains
- Monitor bulk data extraction from credential stores and browser password databases
title: ClawHavoc Payload Delivery via curl pipe
detection:
selection:
CommandLine|contains:
- 'curl * | bash'
- 'curl * | sh'
- 'wget * | bash'
condition: selection
level: high
Threat Hunting Queries
Proactive hunt queries for API anomalies, scripted execution, and C2 activity
- Hunt for API anomalies and rare request patterns in OpenClaw gateway logs
- Identify scripted CURL or bash pipe invocations linked to agent processes
- Flag suspicious C2 connections and anomalous authentication attempts
index=network dest_ip=91.92.242.30
| stats count by src_ip, dest_port, bytes_out
| where bytes_out > 100000
| sort -bytes_out
Cloud and Tool Monitoring
Monitoring OpenClaw workflows, ClawHub skill inventory, and supply chain integrity
- Monitor all OpenClaw workflow executions for anomalous behavior or unexpected tool calls
- Scan ClawHub skill inventory weekly against an approved package baseline
- Audit full supply chain pipeline for integrity violations and unauthorized modifications
# Compare installed skills against approved list
openclaw skills list --format=json | \
jq '[.[].name]' > current_skills.json
diff approved_skills.json current_skills.json
Endpoint and Process Monitoring
Deep process monitoring with focus on SOUL.md and MEMORY.md file integrity
- Analyze suspicious processes spawned by the OpenClaw agent at runtime
- Monitor SOUL.md and MEMORY.md for unexpected writes, additions, or truncation
- Detect process injection behaviors and memory anomalies at agent runtime
inotifywait -m -r ~/.openclaw/ \
-e modify,create,delete \
--format '%T %w %f %e' \
--timefmt '%Y-%m-%d %H:%M:%S' \
| grep -E 'SOUL.md|MEMORY.md'
Mitigations sorted by urgency. Red = act now. Blue = build into long-term posture.
Access Controls for Admins
- Enforce MFA on all OpenClaw deployments now
- Disable marketplace skill installs until audited
- Restrict install permissions to approved admins only
Credential Security Hardening
- Rotate all AWS, SSH, and browser-stored credentials
- Lock and monitor access to sensitive credential files
- Revoke any tokens or API keys exposed during window
Enhanced Threat Monitoring
- Block outbound connections to 91.92.242.30
- Alert on SOUL.md and MEMORY.md file writes
- Enable verbose logging on all agent processes
Network Segmentation
- Isolate OpenClaw instances in dedicated network zones
- Apply zero trust architecture to all AI workloads
- Limit lateral movement paths from agent hosts
Software Supply Chain Security
- Implement package signing and sandboxed skill execution
- Establish a ClawHub skill approval workflow
- Audit installed skills quarterly against approved baseline
Awareness and AI Governance
- Train developers to never pipe curl directly to bash
- Enforce shadow AI governance policies enterprise-wide
- Require formal approval before any AI agent deployment
AI Agents Need a Different Security Model
Traditional application security does not account for agents with persistent memory, system privileges, and a marketplace of third-party extensions. SOUL.md and MEMORY.md are attack surfaces most organizations have never considered.
Shadow AI Is the Hidden Multiplier
22% of enterprises have unsanctioned OpenClaw deployments. Every one of those is an unmonitored, unpatched, and ungoverned instance. Shadow AI does not just add risk, it hides it from the people responsible for managing it.
The Supply Chain Is Now the Agent's Trust Model
ClawHub's minimal vetting made the marketplace itself a delivery mechanism. As AI agent ecosystems grow, every plugin, skill, and extension is a potential supply chain vector. Governance over what runs inside your agents is now a security requirement.
Looking for the formal intelligence report with full IOC tables and section references?
← Back to Threat Bulletin