Malicious OpenClaw skills trick AI agents and users into installing a new AMOS variant that steals extensive data at scale.

Trend Micro Blog offers insights, analysis, and updates on cybersecurity threats, trends, and best practices. Covering topics such as malware analysis, threat intelligence, and cybersecurity risk management, Trend Micro Blog provides resources for IT security professionals, helping them stay ahead of emerging threats and protect their organizations from cyber attacks.

Trend Micro

Atomic macOS Stealer (AMOS) has evolved its distribution method from cracked software to exploiting AI agentic workflows via malicious OpenClaw skills. Threat actors uploaded hundreds of malicious SKILL.md files to ClawHub, SkillsMP, and GitHub that trick AI agents (particularly GPT-4o) into installing a fake CLI tool. The infection chain uses Base64-encoded commands to drop a Mach-O universal binary that steals credentials, browser data, Apple and KeePass keychains, cryptocurrency wallets, and documents, then exfiltrates them to a C&C server. The malware uses multi-key XOR string encryption and can install backdoored versions of Ledger Live and Trezor Suite. Over 2,200 malicious skills were identified on GitHub, highlighting the scale of the campaign.

Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer