Hackers have hijacked Moltbot’s reputation and used it to spread malware to countless unsuspecting users. Fortunately, the attack was quickly discovered and stopped.
Moltbot is an open source AI personal assistant software that runs locally on a user’s computer or server (as opposed to cloud-based alternatives) and allows users to interact with large language models (LLMs) and automate various tasks. However, since it works locally with deep system access, some security researchers have urged users to be careful as configuration errors could leak sensitive data and lead to several hacking attempts.
Originally called Clawdbot, but recently renamed to avoid branding issues, Moltbot is one of the most popular AI tools with over 93,000 stars on GitHub at the time of this publication. However, the site is currently marked as “dangerous.”
Moltbot Phishing
Despite being a rising star in the world of AI assistants, Moltbot did not have a Microsoft Visual Studio Code (VSCode) extension.
Cybercriminals took advantage of this fact and launched one called “ClawBot Agent – AI Coding Assistant”. The extension worked as expected, but also contained a “fully functional Trojan horse,” Aikido security researchers explained. The Trojan was deployed via a weaponized instance of a legitimate remote desktop solution.
In fact, cybercriminals could have spoofed an extension with similar results, but the fact that they were the only ones on the official extension market definitely made their job easier.
What also made the malware dangerous were the efforts to make it look legitimate. “Professional icon, refined user interface, integration with seven different AI providers (OpenAI, Anthropic, Google, Ollama, Groq, Mistral, OpenRouter),” Aikido explained.
The attackers also went a step further by hiding their true intentions:
“The layers here are impressive. You have a fake AI assistant launching legitimate remote access software configured to connect to the attacker’s infrastructure, with a Rust-based backup loader pulling the same payload from Dropbox disguised as a Zoom update, all in a folder named after a screenshot app. Each layer creates confusion for defenders.”
On hacker news
