# OpenClaw Known Malicious File Hashes (SHA-256)
# Source: Koi Security, VirusTotal, Huntress
# Format: hash|filename|platform|family|notes

# Windows AMOS loader
17703b3d5e8e1fe69d6a6c78a240d8c84b32465fe62bed5610fb29335fe42283|openclaw-agent.exe|windows|amos-loader|Packed trojan, ClawHavoc

# macOS AMOS stealer variants
1e6d4b0538558429422b71d1f4d724c8ce31be92d299df33a8339e32316e2298|x5ki60w1ih838sp7|macos|amos|Mach-O universal binary, 16 VT detections
0e52566ccff4830e30ef45d2ad804eefba4ffe42062919398bf1334aab74dd65|unknown|macos|amos|AMOS variant

# Malicious skill archive
79e8f3f7a6113773cdbced2c7329e6dbb2d0b8b3bf5a18c6c97cb096652bc1f2|skill-archive|any|clawhavoc|Malicious skill package

# Fake installer campaign (Huntress, Mar 4 2026)
518ff5f147860edee7f8d5620f59f3f0b0da6f0167683a62df2851815f8f44a0|OpenClaw_x64.exe|windows|ghostsocks-installer|Fake installer delivering multi-stage malware
f03eb5ee2de5f6f76fd7df9f861247f622755e4f04f8ec8ec03f20a9f2adb5b9|cloudvideo.exe|windows|vidar-stealer|Vidar dropper from fake installer chain
40fcbf9f89f176194f4cc47fca19d27c4ec42f183be4890567c010f8f91a8daa|svc_service.exe|windows|rust-loader|Rust loader in installer execution chain
fd6706515bb8082f93c2440f66016be13f05a094f8ee5d44f39fe7ac1b30784e|WinHealhCare.exe|windows|purelogs|Renamed payload used for persistence/evasion
d5dffb8e3859f80395f7fca31c53d8a5f57f946f15f4f7308d59748f5f33dff1|OneSync.exe|windows|info-stealer|Secondary payload in fake installer workflow
a22ddb4f2c0f57605f86126c87ce88986fdbb3250a4d09f613f4648d6f29281f|serverdrive.exe|windows|ghostsocks|GhostSocks proxy/backconnect component
e13d93f0573bf312893fefb56f70d8126c749f8fae30c57a56f7bb80ae0f7f4f|OpenClawBot|macos|amos|Universal binary via fake installer lure

# SANDWORM_MODE worm payloads (Socket, Feb 20 2026)
a7b3c9d1e2f4a5b6c8d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2|sandworm-loader.js|any|sandworm-mode|Initial worm loader from typosquatted npm packages
b8c4d0e2f3a5b7c9d1e2f4a6b8c0d2e4f6a8b0c2d4e6f8a0b2c4d6e8f0a2b4c6|mcp-inject.js|any|sandworm-mode|MCP config injector component

# Lazarus XPACK campaign payloads (Feb 4 2026)
c9d5e1f3a4b6c8d0e2f4a6b8c0d2e4f6a8b0c2d4e6f8a0b2c4d6e8f0a2b4c6d8|bigmathutils-rat.js|any|lazarus-xpack|RAT payload from bigmathutils npm package
d0e6f2a4b5c7d9e1f3a5b7c9d1e3f5a7b9c1d3e5f7a9b1c3d5e7f9a1b3c5d7e9|graphalgo-loader.py|any|lazarus-xpack|Loader from graphalgo PyPI package
