Bing AI Recommended a Fake OpenClaw Installer. It Delivered Vidar, GhostSocks, and Atomic Stealer.

Q: What is Vidar stealer?

Vidar is an infostealer sold as crimeware-as-a-service that collects browser credentials, session cookies, and crypto wallet files. Its distinctive feature is using Telegram channel descriptions and Steam user profiles as dynamic C2 channels.

Q: Does rotating my password protect me after a Vidar infection?

Only partially. Vidar steals session cookies that remain valid until explicitly revoked, regardless of password changes. You need to sign out all active sessions on affected services, then change passwords. Hardware FIDO2 keys prevent new sessions from being established even with a valid cookie.

March 6, 2026 · 9 min read

Researchers at Huntress caught Bing's AI-enhanced search recommending malicious GitHub repositories posing as OpenClaw installers. Windows users who followed the instructions picked up Vidar infostealer and GhostSocks backconnect proxy malware — loaded entirely in memory. macOS users got Atomic Stealer. The attack worked because the repos looked real, GitHub gave them legitimacy, and Bing's AI did the distribution.

What Happened

Huntress MDR discovered a campaign, disclosed in early March 2026, where threat actors registered GitHub organisations impersonating OpenClaw installers. The fake organisation — openclaw-installer — hosted repositories that appeared professional enough to fool Bing's AI-powered search at a glance.

When users searched for OpenClaw on Bing, the AI-generated results surfaced these malicious repos as recommended download sources — effectively doing the distribution work for the attackers with zero paid advertising. Huntress put it bluntly: "just hosting the malware on GitHub was enough to poison Bing AI search results."

To boost credibility, the threat actors copied real code from Cloudflare's Moltworker project into their repos — something an automated credibility signal might read as "this looks like real infrastructure code". It worked.

The official OpenClaw repository is at https://github.com/openclaw/openclaw. If you're not reading from there, you're not reading the real thing.

The Payload Chain — Two Platforms, Three Malware Families

Windows: Vidar + GhostSocks

Windows users following the fake installation instructions downloaded OpenClaw_x64.exe. That binary executed multiple payloads in sequence:

Rust-based memory loaders — Multiple executables, all written in Rust, that loaded the final payloads directly into memory. No disk writes where endpoint tooling would typically look.
Vidar infostealer — A well-documented stealer that harvests browser credentials, session tokens, crypto wallets, and anything else useful from the machine. Its C2 communication is unusual: Vidar resolves its command server address by scraping Telegram channel descriptions and Steam user profile pages — legitimate services that most corporate firewalls won't block.
GhostSocks backconnect proxy — After stealing credentials, GhostSocks turns the victim's machine into a proxy node. Attackers then route their own traffic through it to bypass geo-based fraud detection and anti-abuse checks — including the kind that would flag a login from an attacker's VPS but not from the victim's own IP.

Huntress noted that their Managed AV and Managed Defender solutions caught and quarantined the payloads on the customer machine they analysed. That's a best-case scenario — enterprises with EDR deployed got visibility. Consumer users who followed the same instructions likely did not.

macOS: Atomic Stealer

The macOS path used a different delivery mechanism. Victims were shown a bash command to paste into Terminal — a pattern now so common it has a name: pastejacking. The command reached a second GitHub organisation (puppeteerrr, repository dmg) that contained shell scripts paired with Mach-O executables identified by Huntress as Atomic Stealer (also known as AMOS).

Atomic Stealer is a macOS infostealer with a solid pedigree — it targets browser data, iCloud Keychain content, macOS password prompts (fake UI that captures the user's login), and crypto wallet extensions. It's sold as crimeware-as-a-service and has seen active development since at least 2023.

Why Bing AI Is the Story Here

This campaign is notable less for the malware families — Vidar and Atomic Stealer are both known quantities — and more for how it found victims. The distribution channel was Bing's AI search, not phishing emails, not malicious ads, not SEO poisoning in the traditional sense.

AI-enhanced search results from Bing surface recommended content based on signals that include GitHub's own credibility metrics — stars, forks, commit activity, organisation affiliation. The attackers gamed exactly those signals: a named GitHub organisation, copied legitimate code in the repository, and enough apparent structure to look like a real project.

This is a different threat model than SEO poisoning, where attackers build pages optimised for search crawlers. Here, the attack surface is the LLM-layer summarisation and recommendation that sits on top of search — something that infers intent and trustworthiness without the same depth of vetting a security researcher would apply.

The practical implication: AI-powered search recommendations should be treated as suggestions, not endorsements. For software downloads especially, verify URLs directly against the official project.

Disclosure Status

Huntress reported all identified malicious repositories and accounts to GitHub. As of their disclosure date (early March 2026), removal status was unclear. GitHub's response to malicious repository reports varies in speed — if you encounter a repository claiming to offer OpenClaw outside the official org, report it directly at github.com/contact/report-abuse.

Microsoft has not issued a public statement about the Bing AI recommendation as of this writing.

Detection and Response

If You Downloaded from an Unofficial Source

Assume compromise. The immediate steps:

Isolate the machine — disconnect from the network if you have reason to believe the installer ran.
Credential rotation — every browser-saved password, every session token, every stored credential on that machine should be treated as stolen. Rotate all of them from a clean device.
Check for proxy activity — GhostSocks establishes an outbound TCP connection to the attacker's infrastructure. Look for unexpected outbound connections to unfamiliar IPs, especially persistent connections that survive reboots.
Crypto wallet audit — if you have any browser-based crypto extensions or wallet files on the machine, assume they were captured. Both Vidar and Atomic Stealer explicitly target wallet software.
Revoke active sessions — log out all sessions on Google, Microsoft, Apple, GitHub, and any SaaS tools used from that machine. Vidar captures session cookies, which bypass password-based authentication entirely.

IOC Summary (from Huntress)

Malicious GitHub org: openclaw-installer
Malicious repo: puppeteerrr/dmg
Windows payload filename: OpenClaw_x64.exe
C2 pattern: Vidar resolves C2 via Telegram/Steam profile scraping
Proxy pattern: GhostSocks establishes persistent outbound TCP backconnect

Network-Level Detection

Because Vidar uses Telegram and Steam as C2 relay channels, straightforward domain blocklisting won't catch it. Detection requires behavioural analysis: look for new or unexpected processes making unusual sequences of requests to Telegram API endpoints (api.telegram.org) or Steam profile URLs shortly after software installation. A fresh browser process making a GET to a Telegram channel description within minutes of install is anomalous — flag it.

The Broader Pattern: GitHub + AI Search as Attack Surface

This campaign fits a wider playbook that's been evolving since 2023:

Target a popular open-source tool — OpenClaw, Node.js packages, Python utilities. Popularity means more search traffic and more user trust.
Create a plausible-looking repository — clone legitimate code, use a professional-sounding org name, add a README with installation instructions.
Wait for AI-assisted discovery — neither paid placement nor active SEO needed. LLM-based search assistants will surface it based on relevance signals alone.
Deliver payload via trusted mechanism — terminal commands look authoritative; users who "installed" the real tool via terminal are primed to follow the same instructions in a fake guide.

It's a supply chain attack that never touches the actual supply chain — it operates entirely in the discovery layer between "I want to install X" and "I'm on the official download page".

Related: Malicious Skills and Package Registries

This isn't the first time OpenClaw's ecosystem has been targeted. BleepingComputer previously reported on malicious Moltbot skills used to push password-stealing malware — in that case, attacker-controlled instruction files in the official skills registry. The GitHub installer campaign represents escalation: if the registry is being watched more closely, move the attack to the installation step.

Defender Checklist — AI Search Downloads

For any open-source tool installation, apply the following before running anything:

✅ Find the official repository independently — search the project name + "github" and confirm the org matches official documentation, not a search result.
✅ Check repository age and contributor history — a two-week-old org with one contributor and 0 stars is suspicious regardless of how polished the README looks.
✅ Verify the download URL in official docs — the project's own website or documentation should reference download URLs directly. If you can't find the URL in official docs, don't run the installer.
✅ Treat AI search results as suggestions, not endorsements — AI-generated results surface content based on signals that attackers can game. The recommendation box is not a security control.
✅ Scan before executing — even on macOS. Run installers through VirusTotal or your EDR before execution, especially for tools that request privileged access or system-level permissions.
✅ Bookmark the official repos — once you've verified the real URL, bookmark it. Every future update should come from that bookmark, not a new search.

Source and Attribution

Primary source: Huntress MDR research, March 2026. Reported by BleepingComputer. Huntress identified the malicious repos, analysed the payload chain, and reported the repositories to GitHub.

The official OpenClaw installer is at https://github.com/openclaw/openclaw. No other installation source should be trusted.

Frequently Asked Questions

How did Bing AI get tricked into recommending the fake installer?

Bing's AI-powered search surfaces recommendations based on signals like GitHub's credibility metrics — repository structure, organisation affiliation, and the presence of plausible code. The attackers specifically copied real code from Cloudflare's Moltworker project to boost those signals. The AI recommendation layer doesn't perform security vetting; it infers relevance and credibility from surface-level signals that attackers can engineer.

What is Vidar stealer?

Vidar is an infostealer sold as crimeware-as-a-service, active since at least 2018. It collects browser credentials, saved passwords, session cookies, crypto wallet files, and system information, then exfiltrates the data to attacker infrastructure. Its distinctive feature is using Telegram channel descriptions and Steam user profile pages as dynamic C2 channels — when the attacker rotates infrastructure, they just update a Telegram bio or Steam profile, and the stealer follows without needing a new binary.

What is GhostSocks?

GhostSocks is a backconnect proxy malware — it installs a persistent SOCKS proxy on the victim's machine that attackers can route traffic through. The main use cases are: bypassing fraud detection (logins from the victim's own IP pass geo checks that would block an attacker's VPS), hiding attacker infrastructure, and conducting follow-on attacks that appear to originate from the victim's network.

Does rotating my password protect me after a Vidar infection?

Only partially. Vidar steals session cookies — active authenticated sessions that remain valid until they expire or are revoked, regardless of password changes. A password rotation doesn't invalidate existing session tokens. You need to explicitly log out all active sessions on affected services (most platforms have a "sign out all devices" option) and then change passwords after clearing sessions. For future protection, hardware FIDO2 keys prevent new sessions from being established even with a valid cookie.

How can I check if my machine is running GhostSocks?

Look for persistent outbound TCP connections to unfamiliar external IPs that survive reboots, initiated by processes that don't normally make network connections. On Windows: netstat -ano and cross-reference the owning PID with Task Manager. On macOS: lsof -i TCP. EDR solutions will capture process-level network telemetry that makes this much easier. If you suspect infection, the most reliable approach is to reimagine the machine from a known-clean backup rather than attempting manual cleanup of a proxy implant.

What's the correct way to install OpenClaw?

Go directly to https://github.com/openclaw/openclaw. Don't search for it on Bing, Google, or any AI assistant and follow a link from those results. Bookmark the official URL once you've verified it. Check that the organisation name in the URL is exactly openclaw — not openclaw-installer or any variation. The official documentation should be the only guide you follow for installation steps.