Infostealer Malware Expands Target Scope, Steals OpenClaw AI Agent Secrets in First Reported Case

CyberDefender 7 mins0

Researchers have recently observed information-stealing malware actively exploiting one of the newest attack surfaces in the AI ecosystem: OpenClaw, a popular agentic AI assistant framework. This development marks a significant evolution in infostealer behavior, moving beyond conventional credential theft into harvesting AI agent configurations, tokens, cryptographic keys, and personal context data stored on compromised machines.

Why OpenClaw Is Attractive to Threat Actors

OpenClaw (formerly known as ClawdBot and MoltBot) is a locally-running AI agent framework designed to manage tasks, interact with local apps and services, and automate workflows based on persistent memory and configuration files stored on a user’s system. Because these local environments frequently contain authentication secrets — such as API keys, gateway tokens, and session credentials — they present a lucrative target for commodity malware.

As adoption of these agentic assistants grows, attackers are increasingly motivated to pivot their tools toward capturing this high-value data.

First Known In-the-Wild OpenClaw Config Theft

Security intelligence firm Hudson Rock documented the first confirmed in-the-wild infostealer infection that exfiltrated an OpenClaw configuration environment from a victim machine. Rather than leveraging a bespoke OpenClaw exploit, the malware used existing broad file-collection routines to sweep for files and directories containing keywords such as token and private key. Because OpenClaw’s config files happened to contain these markers, they were swept up in the malware’s collection set.

Hudson Rock noted this incident represents a pivotal shift in infostealer targeting: from relatively static credential stores (e.g., browsers and crypto wallets) to dynamic identity artifacts of personal AI agents.

What Was Stolen — A Technical Breakdown

In this documented incident, several critical OpenClaw artifacts were exfiltrated:

openclaw.json

This core configuration file includes:

  • User workspace paths
  • User’s email address (redacted)
  • A high-entropy gateway authentication token

The gateway token effectively functions as a session credential. If the local OpenClaw gateway port is exposed, stolen tokens can allow remote connections or impersonation of the user in authenticated AI gateway requests.

device.json

This file contains:

  • The device’s public and private keys (publicKeyPem and privateKeyPem)

Private keys are particularly sensitive. With them, an attacker could:

  • Sign requests as the victim’s device
  • Bypass whitelisting or “safe device” checks
  • Access encrypted logs or paired services that trust the device’s identity credentials

Agent Memory and Persona Files

Files such as:

  • soul.md — Defines agent personality and operating behavior
  • AGENTS.md, MEMORY.md — Store context, activity history, private messages, calendar entries, and other personal artifacts

These elements constitute the AI agent’s operational context — effectively a mirror of a user’s digital identity, preferences, and behavioral patterns. Exfiltration of this data represents a deeper privacy and identity risk beyond simple credential theft.

Broader Implications for Security

This incident highlights how rapidly expanding AI assistant ecosystems can inadvertently create new attack surfaces for existing malware families. Traditional infostealers are designed to:

  • Exfiltrate credentials and keys
  • Scan for patterns and sensitive file names
  • Send identified data back to command-and-control infrastructure

But as developers integrate AI agents into workflows — with locally accessible tokens and memory stores — these agents’ artifacts now meet the criteria for infostealer collection routines.

Hudson Rock has previously warned that OpenClaw was primed to become a primary target for infostealers due to the sensitivity and accessibility of the data it retains. Their prediction appears to be materializing.

What This Means for Defenders

Attack Surface Expansion

AI agent frameworks with persistent local configuration files (especially those storing secrets in plain text or lightly encrypted formats) are now high-interest targets for automated malware.

Prevention and Detection

Organizations and individual users should take steps to:

  • Monitor non-standard directories for unauthorized access attempts
  • Restrict network exposure of agent gateway ports
  • Ensure API keys and tokens are managed through secure vaults where possible
  • Employ robust endpoint detection to flag unusual file system traversal and exfiltration behaviors

Looking Ahead

As AI assistants become more deeply embedded in productivity and professional tools, infostealer developers are expected to adapt their payloads with dedicated parsing modules targeting agent artifacts — much as they already do for popular browsers or messaging platforms.

Final Thoughts

The emergence of infostealers targeting AI agent environments underscores a growing reality: Artificial intelligence tooling expands convenience — but also broadens the threat landscape. Security teams should proactively evaluate how trusted local AI runtimes store and protect credentials, and treat these environments as part of the organization’s attack surface when developing defense strategies.

CyberDefender