A malware campaign is using fake GitHub repositories that impersonate OpenClaw developer tools to distribute a custom LuaJIT trojan to developers, gamers, and cryptocurrency users, according to research published by Netskope Threat Labs on March 25.

The campaign, tracked internally by Netskope as “TroyDen’s Lure Factory,” centers on a GitHub repository called AAAbiola/openclaw-docker that poses as a Docker deployment tool for the legitimate OpenClaw AI project. The repo features a polished README with installation instructions for Windows and Linux, a companion GitHub.io page, and contributions from real developers, including one with a 568-star repository, Cybersecurity News reported.

The operator inflated the repo’s credibility using throwaway accounts to add stars and forks, while topic tags like ai-agents, docker, openclaw, and LLM pushed it into developer search results. Netskope researchers believe the naming conventions used across the campaign’s lure directories, drawn from obscure biological taxonomy and archaic Latin, are machine-generated, pointing to AI-assisted malware production at scale.

How the Payload Works

The technical distinguishing feature of this campaign is a split-payload design built to defeat automated sandbox analysis. Each malicious ZIP package contains three files: a batch file called Launch.bat, a renamed LuaJIT runtime (unc.exe), and an obfuscated Lua script disguised as license.txt. Submitted individually to a scanner, each file appears benign. The threat activates only when the batch file runs both components together in sequence, according to Netskope’s analysis.

Once armed, the payload runs five anti-analysis checks: debugger presence, low RAM, short system uptime, elevated privilege access, and specific computer names associated with research environments. If any check suggests a sandbox, execution halts. If the checks pass, a Sleep() call of approximately 29,000 years fires first, long enough to outlast any timed analysis window before real execution begins on an actual machine.

The Prometheus Obfuscator then rewrites the Lua script’s control flow to frustrate static analysis. Four registry writes disable Windows proxy auto-detection, routing outbound traffic past corporate inspection layers. The payload captures a full desktop screenshot, geolocation data, and uploads both to a command-and-control server in Frankfurt, Germany via a hardcoded multipart POST request, per Cybersecurity News.

Scale: 300+ Packages Across Multiple Repos

The OpenClaw Docker impersonation is one node in a larger operation. Netskope identified over 300 confirmed delivery packages across multiple GitHub repositories, including gaming cheats, phone trackers, VPN crackers, and Roblox scripts, all connecting back to the same attacker infrastructure: eight confirmed IP addresses behind a single load-balanced backend, according to Netskope Threat Labs.

Researchers also connected the operator to a Telegram channel, @NumberLocationTrack, running under the name TroyDen since June 2025. That timeline suggests the campaign was active months before the GitHub repositories targeting OpenClaw appeared.

Third Attack Vector Targeting OpenClaw in March

This is the third distinct attack campaign exploiting OpenClaw’s brand in March 2026 alone. On March 19, scammers launched a crypto phishing campaign targeting developers who starred the OpenClaw repository with fake “$5,000 CLAW token” airdrops. Earlier in the month, Bitdefender found that approximately 20% of skills on ClawHub, OpenClaw’s official marketplace, contained malware.

Each campaign exploits a different layer: ClawHub targets the plugin ecosystem, the phishing campaign targets individual developers’ wallets, and TroyDen’s operation targets anyone searching GitHub for OpenClaw tooling. The common thread is that OpenClaw’s explosive growth has made it a high-value impersonation target, where brand recognition alone drives downloads.

Netskope recommends that anyone who downloaded packages from the affected repositories treat their machine as compromised. Security teams should flag any GitHub download pairing a renamed interpreter with an opaque data file as a high-priority triage case, and block outbound connections to the published C2 IP addresses at the firewall level.