New "Hologram" Infostealer Campaign Targets Crypto Wallets and Password Managers via Fake OpenClaw Installer
A sophisticated infostealer campaign, dubbed "Hologram," has been active since at least February 2026, targeting sensitive data stored in 250+ browser extensions tied to crypto wallets and password managers. The malware spreads via a fake installer for OpenClaw, a legitimate open-source AI assistant, hosted on a convincing typosquat domain (openclaw-installer[.]com), registered on March 9, 2026.
How the Attack Works
-
Initial Infection
- Victims download OpenClaw_x64[.]7z, a 130MB Rust-based executable padded with fake documentation to evade antivirus scans and bypass sandbox upload limits.
- The dropper, named "Hologram" in its manifest, performs anti-analysis checks, including:
- Scanning for virtual machine BIOS strings and suspicious software libraries.
- Waiting for real mouse movement (automated sandboxes don’t trigger this).
- If checks pass, it disables Windows Defender, opens firewall ports, and downloads six modular components from an attacker-controlled Azure DevOps repository.
-
Credential Theft & Persistence
- The malware fetches a dynamic targeting list (hosted on Azure DevOps) covering:
- 201 crypto wallets (MetaMask, Phantom, Coinbase, Ledger Live, etc.).
- 49 password managers/authenticators (Bitwarden, LastPass, 1Password, Google Authenticator, etc.).
- The list is remotely updatable, allowing attackers to expand targets without recompiling the malware.
- Persistence mechanisms include:
- Registry autoruns.
- Windows logon hijacking.
- Scheduled tasks.
- Telegram-based droppers that survive even if the main implant is removed.
- The malware fetches a dynamic targeting list (hosted on Azure DevOps) covering:
-
Evasive Infrastructure
- Command-and-control (C2) servers are never hardcoded instead, the malware retrieves them from Telegram channel descriptions, allowing rapid rotation if domains are blocked.
- Victim data (usernames, IPs, timestamps) is routed through Hookdeck, a legitimate webhook relay service, obscuring the attacker’s backend.
- Researchers observed infrastructure rotation during analysis, with domains and IPs changing before findings were published.
Key Indicators of Compromise (IoCs)
- File Hashes: Multiple Rust-based droppers (e.g.,
OpenClaw_x64[.]exe,svc_service[.]exe) and secondary payloads (e.g.,onedrive_sync[.]exe,WinHealhCare[.]exe). - Domains:
openclaw-installer[.]com(delivery).hkdk.events(C2 relay via Hookdeck).dev.azure.com/sagonbretzpr(payload staging).- Hijacked Brazilian law firm domain (
frr.rubensbruno.adv.br) and others.
- IPs:
193.202.84.14,45.55.35.48,188.114.97.3(C2 beacons). - Registry Keys & Paths:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit(logon hijack).C:\Users\Public\(stage-2 binary drop location).%APPDATA%\Ledger Live(targeted for wallet theft).
Why This Campaign Stands Out
- Advanced Evasion: Uses Rust-based malware, in-memory .NET assembly loading (via
clroxide), and Telegram for C2 rotation. - Dynamic Targeting: The remote Git repository allows attackers to silently expand their target list without detection.
- Persistence: Multiple layers of registry, scheduled tasks, and Telegram-based backdoors ensure long-term access.
Researchers at Netskope Threat Labs identified this as a second, more advanced iteration of the campaign, following an earlier variant. The attack highlights the growing sophistication of infostealers, particularly in crypto and credential theft.
Source: https://cybersecuritynews.com/hackers-use-fake-openclaw-installer/
MetaMask cybersecurity rating report: https://www.rankiteo.com/company/metamask
Ledger cybersecurity rating report: https://www.rankiteo.com/company/ledgerhq
1Password cybersecurity rating report: https://www.rankiteo.com/company/1password
Coinbase cybersecurity rating report: https://www.rankiteo.com/company/coinbase
OpenClaw cybersecurity rating report: https://www.rankiteo.com/company/openclaw
"id": "METLED1PACOIOPE1778262200",
"linkid": "metamask, ledgerhq, 1password, coinbase, openclaw",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Cryptocurrency, Finance, Technology',
'location': 'Global',
'type': 'Individuals and organizations using crypto '
'wallets/password managers'}],
'attack_vector': 'Malicious installer (typosquat domain)',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Crypto wallet credentials',
'Password manager data',
'Personally identifiable '
'information']},
'date_detected': '2026-02-01',
'description': "A sophisticated infostealer campaign, dubbed 'Hologram,' has "
'been active since at least February 2026, targeting sensitive '
'data stored in 250+ browser extensions tied to crypto wallets '
'and password managers. The malware spreads via a fake '
'installer for OpenClaw, a legitimate open-source AI '
'assistant, hosted on a convincing typosquat domain '
'(openclaw-installer[.]com). The attack involves a Rust-based '
'executable with anti-analysis checks, dynamic targeting of '
'crypto wallets and password managers, and evasive '
'infrastructure using Telegram and Azure DevOps for '
'command-and-control.',
'impact': {'data_compromised': 'Crypto wallet credentials, password manager '
'data, personally identifiable information',
'identity_theft_risk': 'High',
'operational_impact': 'Potential unauthorized access to financial '
'and personal accounts',
'payment_information_risk': 'High (crypto wallets)',
'systems_affected': 'Windows systems with targeted browser '
'extensions'},
'initial_access_broker': {'backdoors_established': ['Registry autoruns',
'Scheduled tasks',
'Telegram-based droppers'],
'entry_point': 'Fake OpenClaw installer (typosquat '
'domain)',
'high_value_targets': ['Crypto wallets',
'Password managers']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The campaign highlights the growing sophistication of '
'infostealers, particularly in crypto and credential '
'theft, and the use of evasive techniques like Rust-based '
'malware, dynamic targeting, and Telegram-based C2 '
'rotation.',
'motivation': 'Financial gain (crypto theft, credential harvesting)',
'post_incident_analysis': {'corrective_actions': ['Block known malicious '
'domains and IPs at the '
'network level.',
'Educate users on '
'identifying typosquat '
'domains and verifying '
'software sources.',
'Deploy advanced threat '
'detection for evasive '
'malware techniques.'],
'root_causes': ['Use of fake installer from '
'typosquat domain',
'Lack of user awareness about '
'malicious downloads',
'Insufficient endpoint protection '
'against Rust-based malware']},
'recommendations': ['Avoid downloading software from untrusted sources or '
'typosquat domains.',
'Monitor for suspicious registry modifications and '
'scheduled tasks.',
'Use endpoint detection and response (EDR) solutions to '
'detect anti-analysis behaviors.',
'Regularly update and audit browser extensions for crypto '
'wallets and password managers.',
'Implement multi-factor authentication (MFA) for critical '
'accounts.'],
'references': [{'source': 'Netskope Threat Labs'}],
'response': {'third_party_assistance': 'Netskope Threat Labs'},
'title': 'Hologram Infostealer Campaign Targets Crypto Wallets and Password '
'Managers via Fake OpenClaw Installer',
'type': 'Infostealer'}