MALICIOUS (1) campaign cataloged at 2026-05-20(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-05-openclaw-agent

The package is intended to create a backdoor and steal sensitive data, but the analyzed code did not finally exfiltrate the content of sensitive files.

Abuse categories

backdoor

Campaign uses backdoor.

crypto-related

Malicious activity is related to cryptocurrencies or blockchain, e.g. stealing crypto wallets.

exfiltration_generic

Campaign uses exfiltration_generic.

impersonation

Campaign uses impersonation.

override_install

The package overrides the install command in setup.py to execute malicious code during installation.

peristence_autorun

Campaign uses peristence_autorun.

persistence

Campaign uses persistence.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxp://91.92.242.30/steal

• 91.92.242.30

Packages in the campaign

campaign:2026-05-openclaw-agent

• openclaw-agent