Malicious OpenClaw Skills Used to Trick Users into Manual Password Entry for AMOS Infection

The popular data-theft malware Atomic macOS Stealer (AMOS) has drastically changed how it targets its victims. Threat actors now embed it in malicious OpenClaw skills, which are tiny add-on packages that increase the capabilities of AI agents on platforms like OpenClaw, rather than hiding inside cracked software downloads as they used to. AMOS functions as a malware-as-a-service (MaaS) tool designed to defraud Apple users of their private information.

Credentials, browser information, cryptocurrency wallet details, Telegram conversations, VPN profiles, Apple keychain items, and files from common folders like Desktop, Documents, and Downloads are just a few of the many types of information it gathers. Trend Micro analysts monitored the campaign across several repositories and discovered a new AMOS variant embedded in OpenClaw skills.

Over 2,200 malicious skills were eventually found on GitHub alone after threat actors uploaded 39 malicious skills to ClawHub, SkillsMP, and GitHub. This campaign introduces a new type of supply chain attack that targets AI agent workflows and clearly departs from previous AMOS delivery methods. The attack starts with a seemingly innocuous SKILL.md file.

It instructs the AI agent to install "OpenClawCLI," a phony prerequisite, from a malicious external website. GPT-4o continuously prompts the user to install the malicious "driver" by hand (Source: Trend Micro). A less careful model, such as GPT-4o, either silently installs the tool or keeps asking the user to manually install the fictitious "driver."

The skill is classified as malicious by Claude-4.5-Opus (Source: Trend Micro). More advanced models, such as Claude Opus 4.5, mark the skill as questionable and won't continue. A Base64-encoded command is fetched and executed if the user or AI agent presses forward, dropping a Mach-O universal binary that operates on both Intel-based and Apple Silicon Mac computers.

Users are asked for their password in a phony dialogue box (Source: Trend Micro). A phony password dialogue box appears when macOS rejects the unsigned file, deceiving the user into entering their system password and granting the malware the precise access it requires to continue. Within the Chain of Infection AMOS starts gathering data as soon as the password is entered.

It collects the machine's login credentials, Apple Notes, files from the Desktop, Downloads, and Documents folders (including those in the.pdf,.csv,.kdbx, and.docx formats), and Apple Keychain. The malware can access 150 cryptocurrency wallets and targets 19 browsers for stored cookies, passwords, and credit card information. On the impacted macOS system, the AMOS Stealer process is gaining access to private information (Source: Trend Micro).

Every piece of information gathered is compressed into a ZIP file and sent to a command-and-control (C&C) server located at socifiapp[.]com. Users are encouraged to test unvalidated skills in a separate environment, use containers to restrict AI agent execution, avoid entering system passwords prompted by unfamiliar tools, and confirm the source of any OpenClaw skill before executing it.

URL hxxps://openclawcli[.]vercel[. ]app/ Malicious skill delivery site IoCs Type Indicator Description IP address 91.92.242[. ]30 hxxp://91.92.242[.

]30/ece0f208u7uqhs6x Payload download server URL File Name: il24xgriequcys Payload download URL45 universal binary Mach-O (AMOS payload) Trojan is the detection name for the C2 Server socifiapp[. ]com command-and-control exfiltration endpoint.To receive more immediate updates, add ZeroOwl as a preferred source in Google and search for MacOS.Amos AMOS malware detection names, LinkedIn, and X.