A sophisticated malware campaign, dubbed “OpenClaw Trap,” is actively targeting software developers, gamers, Roblox players, and cryptocurrency users by leveraging compromised GitHub repositories. The campaign, identified by Netskope Threat Labs, employs a custom LuaJIT trojan designed with advanced evasion techniques to bypass automated security defenses, indicating a well-resourced threat actor. The malicious operation was discovered after security researchers detected trojanized packages exploiting behavioral evasion tactics, with the same toolchain found across hundreds of delivery packages hosted on multiple GitHub repositories.
The core of the “OpenClaw Trap” campaign revolves around a meticulously crafted GitHub repository, AAAbiola/openclaw-docker, which impersonates a legitimate Docker deployment tool for the OpenClaw AI project. This fake repository features a professional-looking README with installation guides for both Windows and Linux, a companion GitHub.io webpage, and even includes contributions from what appear to be real developers to enhance its credibility. Further bolstering the illusion of legitimacy, the attacker utilized numerous dummy accounts to artificially inflate the repository’s star and fork counts. Strategic use of topic tags such as “ai-agents,” “docker,” “openclaw,” and “LLM” helped the malicious repository gain visibility and rank highly in developer search results.
OpenClaw Trap Campaign Exploits Developer Trust
Netskope Threat Labs researchers first became aware of the “OpenClaw Trap” campaign upon detecting a trojanized package that employed sophisticated behavioral evasion techniques, specifically engineered to circumvent automated analysis pipelines. Their subsequent investigation uncovered that the same malicious toolchain was operative across more than 300 confirmed delivery packages. These packages, disguised as common utilities like gaming cheats, phone trackers, VPN crackers, and Roblox scripts, were distributed through various GitHub repositories, all funnelling back to the same attacker-controlled infrastructure. The naming conventions used for the “lure” directories, which drew from obscure biological taxonomy, archaic Latin, and medical terminology, strongly suggest a machine-generated approach to malware production, hinting at the use of AI-assisted methods for creating these malicious payloads at scale.
The impact of this campaign is broad, affecting a diverse range of users. Upon execution, every victim machine’s geographic location is immediately ascertained, and a complete desktop screenshot is captured and transmitted to a command-and-control (C2) server located in Frankfurt, Germany. The attacker’s infrastructure appears to be built for high volume, with eight confirmed IP addresses operating behind a load-balanced backend. Additionally, researchers have linked the operator to a Telegram channel, “@NumberLocationTrack,” operating under the alias TroyDen since June 2025. This timeline suggests that the “OpenClaw Trap” campaign had been active for months prior to the appearance of the compromised GitHub repositories.
Two Files, One Weapon
A particularly distinctive technical aspect of this campaign is its payload delivery method, which splits the malicious components into two distinct files to evade detection. Each malicious ZIP package contains three items: a batch file named `Launch.bat`, a renamed LuaJIT runtime executable identified as `unc.exe`, and an obfuscated Lua script presented as `license.txt`. When each of these files is submitted to an automated scanner individually, they appear harmless and do not trigger any alerts. The malicious intent is only realized when the batch file executes both components sequentially in the correct order. This design directly exploits the common practice of sandboxes analyzing files in isolation, thus bypassing standard security checks.
Once both components are activated in tandem, the payload proceeds through a series of five anti-analysis checks. These checks include probing for the presence of debuggers, assessing available RAM, evaluating system uptime, verifying privilege levels, and identifying specific computer names. If any of these indicators suggest the execution environment is a sandbox, the payload halts its operation. If none of these indicators are present, a `Sleep()` function is invoked for a period approaching 29,000 years, a duration designed to exceed any typical automated analysis window. By the time a security tool might report a clean verdict, the payload has already executed on a legitimate machine without leaving any traceable logs within the sandbox environment.
Following the anti-analysis checks, the Prometheus Obfuscator rewrites the Lua script’s control flow logic, rendering static code analysis ineffective. The malware then makes four registry writes to disable Windows’ proxy auto-detection feature, diverting outbound traffic and potentially bypassing corporate network inspection layers. Subsequently, the payload captures a full screenshot of the victim’s desktop and uploads it to the Frankfurt-based C2 server using a hardcoded multipart POST request. The C2 server, in turn, responds with encrypted tasking and loader blobs, which are then saved to the victim’s Documents folder. The consistent presence of a fixed 38-character boundary string across all observed C2 communication requests suggests that the operator likely utilized AI-assisted code generation tools to construct the server-side management panel.
Individuals who may have downloaded packages from the three identified affected repositories should consider their systems potentially compromised and should actively monitor for any signs of unauthorized access or suspicious activity. Security teams are advised to treat any GitHub download that bundles a renamed interpreter with an opaque data file as a high-priority triage case. The indicators of compromise (IOCs) that have been published should be immediately deployed into Endpoint Detection and Response (EDR) systems and network monitoring tools. Furthermore, all outbound connections to the confirmed C2 IP addresses associated with the “OpenClaw Trap” campaign should be blocked at the firewall level as a precautionary measure.