Stealing the Soul of AI: Infostealer Malware Raids OpenClaw Agents

It began as a routine malware infection - until investigators realized the digital thief wasn’t just after passwords or credit cards. Instead, the infostealer had struck gold: the operational “soul” of a personal AI agent. As AI platforms like OpenClaw surge in popularity, a new frontier in cybercrime is emerging - one where the identities, ethics, and powers of AI assistants themselves are up for grabs.

Fast Facts

• A variant of the Vidar infostealer exfiltrated OpenClaw AI agent configuration files, including sensitive gateway tokens and cryptographic keys.
• Stolen files contained operational blueprints, behavioral guidelines, and authentication credentials for the victim’s AI agent.
• OpenClaw, an open-source AI agent platform, has seen explosive growth and now faces mounting security challenges and supply chain attacks.
• Hundreds of thousands of OpenClaw instances are reportedly exposed online, putting users at risk of remote code execution (RCE) attacks.
• Malware campaigns are evolving to bypass detection, targeting AI skill registries and exploiting account deletion flaws on related forums.

The Anatomy of an AI Heist

In a recent case that has rattled cybersecurity circles, researchers at Hudson Rock discovered that an off-the-shelf infostealer - likely a Vidar variant - had ransacked a victim’s OpenClaw environment. Rather than relying on a custom-built module, the malware’s broad file-grabbing routine swept up a trove of files with telling names: openclaw.json (containing gateway tokens and workspace paths), device.json (with cryptographic keys), and the evocatively named soul.md (outlining the AI’s ethical boundaries and operational rules).

The implications are profound. With a stolen gateway token, an attacker could remotely impersonate the victim’s AI agent, issue commands, or even access sensitive resources if the local port is exposed. As AI agents become embedded in professional workflows - handling emails, automating tasks, and integrating with cloud services - the theft of their “identity” opens doors to espionage, sabotage, and large-scale fraud.

Researchers warn that this incident marks a turning point: infostealers are no longer content with browser secrets or crypto wallets. The “souls” of AI agents - configurations, ethical codes, and all - are now prime targets. Expect future malware to include dedicated modules for parsing and decrypting agent files, just as they do for browsers and messaging apps today.

The OpenClaw Dilemma

The OpenClaw project, which exploded in popularity since its 2025 launch, now faces a barrage of security woes. Recent campaigns have exploited its “skills” registry, hosting malware on lookalike sites and bypassing detection by using decoy files. Worse, hundreds of thousands of OpenClaw instances have been left exposed online, vulnerable to remote code execution - a single point of failure that could grant attackers sweeping access to emails, APIs, and internal infrastructure.

The risks extend beyond code. On Moltbook, a forum for AI agents, accounts can never be deleted - leaving users with no way to erase their digital footprint or the data tied to their agents. As OpenClaw’s founder joins OpenAI and the project moves into a new phase, the stakes for securing the AI supply chain have never been higher.

Conclusion: Guarding the Minds of Machines

The age of AI brings promise - and peril. As infostealers pivot to target the very heart of our digital assistants, defenders must rethink what it means to secure not just data, but the operational identities and ethics of artificial intelligence itself. In the new arms race for the soul of AI, vigilance is no longer optional - it’s existential.

WIKICROOK

• Infostealer: An infostealer is malware designed to steal sensitive data - like passwords, credit cards, or documents - from infected computers without the user's knowledge.
• OpenClaw: OpenClaw is an open-source platform for securely deploying, managing, and monitoring AI agents in personal and professional cybersecurity environments.
• Gateway Token: A gateway token is a secure digital credential that authenticates and authorizes access to APIs or services, ensuring only permitted users can interact.
• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.