Searching for “OpenClaw Windows” on Bing? In early February, that query could have installed malware on your machine — recommended by AI.

Researchers at Huntress discovered a campaign running from February 2–10, 2026, where fake OpenClaw installers hosted on GitHub were promoted as the top result in Bing’s AI-powered search. Users who trusted the AI recommendation downloaded information stealers instead of the AI agent framework they wanted.

This isn’t a hypothetical threat model. It’s what happens when AI search engines recommend unvetted software repositories.

What Huntress Found

On February 9, a user downloaded and ran what they believed was a legitimate OpenClaw installer after Bing AI surfaced a GitHub repository called “openclaw-installer” as the top result. Huntress analyzed the payload and found a sophisticated multi-stage attack:

The bait: A 7-Zip archive containing OpenClaw_x64.exe — code largely copied from Cloudflare’s moltworker project to appear legitimate. The GitHub account used a stolen profile image from a popular X (Twitter) account for credibility.

The payloads:

  • Vidar stealer (disguised as cloudvideo.exe): Targets Telegram and Steam credentials, dynamically fetches command-and-control servers to evade takedowns
  • GhostSocks proxy: Establishes TLS connections to two helper addresses, routes attacker traffic through the victim’s machine, modifies firewall rules to maintain persistence

The packer: A previously undocumented “stealth packer” with capabilities including in-memory execution, hidden scheduled task creation, firewall modification, anti-VM checks (mouse movement detection), and debugging evasion.

Why This Attack Worked

Three factors made this campaign effective:

1. AI Search as an Attack Amplifier

Traditional SEO poisoning requires gaming page rank algorithms. With AI-powered search, attackers only need to create a convincing-enough GitHub repository — the AI does the recommendation work. Bing’s AI confidently pointed users to a malicious repo as if it were the official source.

This is a new category of supply chain risk: AI search poisoning. The attack surface isn’t the software itself — it’s the discovery mechanism.

2. OpenClaw’s Rapid Growth

OpenClaw hit 100K GitHub stars in its first week and changed names twice (Clawdbot → Moltbot → OpenClaw). This created confusion about where to find official downloads. Attackers exploited this window of uncertainty — new users searching for installation instructions found malicious results alongside legitimate ones.

3. GitHub as Trusted Infrastructure

Hosting malware on GitHub exploits the platform’s implicit trust. Users (and AI systems) treat GitHub repositories as more credible than random download sites. The attackers created multiple duplicate repositories across different accounts, ensuring takedowns of individual repos didn’t kill the campaign.

This incident sits at the intersection of two trends:

AI search engines don’t verify software authenticity. When Bing AI recommends a GitHub repo, it’s pattern-matching on relevance, not validating that the binary is safe. There’s no code signing check, no hash verification, no community trust score in the recommendation pipeline.

Open-source popularity creates attack windows. Every viral open-source project faces this: the gap between explosive growth and established distribution channels. Package managers, official websites, and verified downloads take time to set up. Attackers fill that gap.

We’ve seen similar patterns with other popular tools — fake VS Code extensions, malicious npm packages, poisoned Homebrew formulae. But AI search amplification is new, and it’s particularly dangerous because users explicitly trust the AI’s judgment.

How to Protect Yourself

Verify Your OpenClaw Installation

If you installed OpenClaw on Windows between February 2–10, check for these indicators:

  • Binary named OpenClaw_x64.exe from a 7-Zip archive (legitimate OpenClaw doesn’t distribute this way)
  • Unexpected cloudvideo.exe processes
  • New firewall rules you didn’t create
  • Suspicious scheduled tasks

If you find any of these, assume compromise: rotate all credentials, check for unauthorized access, and reinstall from a known-good source.

Always Download from Official Sources

The official OpenClaw repository is at github.com/openclaw/openclaw. Install via:

# npm (official method)
npm install -g openclaw

# Or clone the verified repo
git clone https://github.com/openclaw/openclaw.git

Never download pre-built binaries from unverified GitHub accounts, even if an AI search engine recommends them.

Don’t Trust AI Search for Software Downloads

This is the uncomfortable lesson: AI search engines are not package managers. They optimize for relevance, not safety. When downloading any software:

  1. Go directly to the project’s official website or GitHub organization
  2. Verify the repository owner matches the known maintainer
  3. Check commit history, star count relative to account age, and contributor profiles
  4. Use package managers (npm, pip, brew) over manual binary downloads

Monitor for Copycat Campaigns

Huntress identified three additional accounts distributing similar payloads before GitHub took them down. Expect copycats for any popular open-source tool — the attack template is now public.

What This Means for OpenClaw Users

This campaign didn’t exploit any vulnerability in OpenClaw itself. The software is safe when obtained from official sources. But it highlights a meta-risk that every OpenClaw user should understand: the tools around your AI agent matter as much as the agent itself.

Your threat model isn’t just “can someone hack my OpenClaw instance?” It starts earlier: “did I install the real OpenClaw in the first place?”

Combined with the ClawHavoc supply chain attacks, the ClawJacked vulnerability, and the 30,000+ exposed instances found on Shodan, February 2026 made one thing clear: OpenClaw’s security story is still being written. The project is moving fast on patches and hardening, but users need to meet it halfway.

Trust official sources. Verify before you install. And never let an AI search engine be your package manager. For the official installation path, follow our 10-minute setup guide.