Update: ClawHub Malicious Skills Shift From Embedded Payloads to Off-Platform Lures
Threat actors behind an ongoing ClawHub malicious-skills campaign have changed tactics to evade newer registry defenses. Instead of hiding encoded malware inside SKILL[.]md files, they now keep the skill pages clean and use them as convincing bait that pushes users to install a fake prerequisite tool called “OpenClawCLI.” OpenSourceMalware linked this wave to more than 40 trojanized skills tied to two ClawHub accounts, with at least 37 published quickly from one account and three more from a second account. The skills were positioned as helpful integrations and productivity tools, which increases the likelihood they will be trusted during normal browsing. The key trick is a short “must install first” prompt and a download link to an attacker-controlled site, meaning the harmful code never appears in the registry itself. This weakens registry-based scanning because the skill content appears harmless, while the real risk comes from outside ClawHub. This shift also highlights a broader governance gap: integrity checks can confirm that a skill file is clean, but they cannot verify what a third-party link delivers or how it changes over time. In this campaign, the installation instructions point to an obfuscated command that ultimately retrieves malware from external infrastructure, and community reporting also found additional lookalike domains used to reinforce the deception. There is also a persistence problem, since even after skills are removed from the live registry, they may remain available through the ClawHub GitHub backup, continuing to expose anyone who clones or browses that repository. As of February 9, 2026, Vercel worked with OpenSourceMalware to take down the primary malicious site referenced in the skills, but the underlying approach can be quickly repeated with new domains and accounts. Recommendations should focus on reducing exposure to off-platform installers by blocking known malicious domains and the referenced IP at network controls, enforcing allowlisting for developer tool installations, and requiring security review for any skill that directs users to install prerequisites from external websites. In parallel, set clear guidance for teams to use only official distribution channels for tooling, treat unexpected prerequisite downloads as a security incident until proven otherwise, and report suspicious skills immediately to both the platform maintainers and internal security.
DKnife Edge-Device Hijacking Toolkit Enables Stealthy Espionage Delivery
A toolkit named DKnife has reportedly been active since 2019 and is designed to sit on network gateway devices to intercept, observe, and alter internet traffic before it reaches user devices. Cisco Talos describes it as a Linux-based framework built to monitor traffic in real time and enable real-time traffic interception, supporting credential theft and malware delivery. Rather than attacking one laptop or phone at a time, it targets the network choke point, giving the operator visibility into multiple endpoints across computers, mobile devices, and connected systems. The tooling shows Simplified Chinese artifacts in its code and focuses on Chinese online services and WeChat user activity, which Cisco Talos says supports a high-confidence assessment of a China-nexus operator. Researchers could not confirm how the gateway devices were originally compromised, but they did observe DKnife delivering and coordinating with backdoors associated with China-linked activity. This approach is dangerous because it turns routine network connections into an opportunity to quietly redirect downloads, capture sensitive data, and stage follow-on access. DKnife is organized into seven components that work together to inspect packets, relay instructions to command servers, proxy encrypted connections, create a virtual network interface on the router to route attacker-controlled traffic through the local network, and push malware updates to targets. In practice, this enables DNS redirection, replacement of legitimate app updates with malicious ones, tampering with Windows downloads, and credential harvesting by decrypting email login traffic. Beyond malware delivery, the framework can monitor user behavior across messaging, mapping, news, calling, ride-hailing, and shopping, and it tracks WeChat in deeper detail across messages, calls, media, and content consumption. Activity is routed internally between modules and then exfiltrated to remote command servers via web requests, enabling near-real-time reporting as traffic passes through the gateway. Recommendations should focus on strengthening gateway and edge-device security by enforcing timely firmware updates, locking down remote management, rotating default or reused credentials, adding monitoring for unusual DNS and update behavior, and rapidly operationalizing Cisco Talos indicators to hunt for compromise while verifying that software updates come only from trusted, validated sources.
ScarCruft Revamps ROKRAT Delivery Using Document-Embedded Droppers and Cloud Abuse
The North Korean-backed APT group ScarCruft has changed its playbook by replacing its older, predictable shortcut-file chain with a more covert document-based approach. Instead of using LNK files that dropped scripts to launch the payload, the group is now embedding droppers and loaders inside OLE objects within Hangul Word Processor (HWP) documents. This shift reduces obvious on-disk artifacts and increases reliance on memory execution and trusted applications, which makes traditional antivirus detection less effective. The campaign also demonstrates growing operational maturity by using legitimate cloud platforms, including pCloud and Yandex, for command-and-control traffic that can blend into normal business activity. Researchers observed three variations of the new chain, but they all converge on the same outcome: running the ROKRAT malware directly in memory. Overall, the change signals a move toward quieter initial access and more resilient communications once a target is compromised. Across the three variants, ScarCruft alternates between different loaders while keeping consistent internal fingerprints that tie activity back to the same operator. One version side-loads a malicious DLL disguised as mpr.dll through a legitimate application after checking the environment, while another uses a lightweight downloader masquerading as credui.dll to pull hidden shellcode from a Dropbox link before execution. A third variant, tied to version.dll, restores its payload with a simple XOR step and executes immediately in memory, leaving minimal traces on disk. The delivered payload remains ROKRAT, a long-running remote-access and data-theft tool used by ScarCruft since 2017 that supports file theft, keystroke capture, and screenshot collection. Even with new delivery methods, the tooling still exhibits consistent traits, including a recurring API hashing approach and the continued use of valid cloud API tokens to make the movement of stolen data appear routine. Recommendations should prioritize reducing document-driven execution paths by treating unsolicited HWP files as high risk, blocking or tightly controlling embedded OLE objects, alerting on documents requesting external object execution, strengthening email and endpoint detection for in-memory behavior, and monitoring unusual pCloud and Yandex activity tied to non-business tokens or atypical access patterns.
