Malware is increasingly being used by cybercriminals to exploit the growing popularity of artificial intelligence tools, and a recent incident shows how AI-powered search results can be manipulated to spread such threats. A fake installer linked to the AI agent OpenClaw was reportedly promoted through AI-generated suggestions on Bing search, leading several unsuspecting users to download harmful software that compromised their systems.
According to cybersecurity researchers, users who searched for “OpenClaw Windows” on Bing were shown a GitHub repository link within AI-generated search suggestions. The repository appeared genuine but was actually malicious. Anyone who downloaded and ran the installer unknowingly infected their computer with multiple types of malware. Investigations revealed that the fake repository remained active on GitHub from February 2 to February 10, during which several users downloaded the installer believing it to be legitimate. The issue surfaced after researchers noticed suspicious activity linked to the installer and began examining the files shared through the repository.
Experts said the scam worked mainly due to 2 reasons. First, the malware was hosted on GitHub, a widely trusted platform for open-source projects. Since the real OpenClaw project already has thousands of forks on GitHub, users were more likely to assume the repository hosting the installer was authentic. The second factor was the credibility added by Bing’s AI search results. By uploading the malicious repository and manipulating search visibility, attackers managed to push the fake download link as the top suggestion when users searched for “OpenClaw Windows,” making many believe it was the official download source.
Security researchers identified the threat on February 9 after a user downloaded and executed the installer. Further analysis showed that the file triggered the installation of multiple data-stealing programs once run. Much of the visible code in the repository was copied from a legitimate open-source project, which helped it appear authentic. However, a hidden executable named OpenClaw_x64.exe was placed inside a compressed 7-Zip archive in the “releases” section. Once executed, it deployed several malicious components including Vidar Stealer, which can steal credentials and account data from services such as Telegram and Steam, along with other stored information. Another malware called GhostSocks converted infected systems into residential proxy nodes, allowing criminals to route malicious traffic, hide their location, and access stolen accounts without triggering fraud detection systems.
Researchers also found that attackers used a previously unseen tool called Stealth Packer to hide the malware and avoid detection. This tool performed several stealth actions on infected systems, including creating hidden scheduled tasks, modifying firewall rules, and checking whether the malware was running inside a virtual machine before activating the payload. After the incident was reported, GitHub removed the malicious repository and related accounts. However, researchers warned that multiple similar accounts and organisations had been created to distribute comparable malware, indicating the campaign could be larger than initially believed. Cybersecurity experts said the incident highlights how quickly attackers exploit trending technologies. They advise users to download software only from official sources, verify repository authenticity, run new AI tools in isolated environments, restrict access to sensitive data, and avoid granting high-level system permissions to reduce the risk of malware infections.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
