ClawJacked Vulnerability in OpenClaw AI Framework Exploited to Deploy Remcos RAT

Introduction

In early May 2026, cybersecurity researchers uncovered a critical vulnerability in the OpenClaw AI framework, dubbed "ClawJacked." This flaw has been actively exploited by threat actors to deploy malicious payloads, notably the Remcos Remote Access Trojan (RAT) and GhostLoader malware. The exploitation of ClawJacked underscores the growing risks associated with AI agent frameworks and the necessity for robust security measures in their deployment.

Understanding the ClawJacked Vulnerability

OpenClaw is an open-source framework designed for autonomous AI agents capable of executing complex tasks that require high-privilege local system access. Its modular architecture allows for the integration of various "skills" to enhance functionality. However, this flexibility has also introduced significant security vulnerabilities.

The ClawJacked vulnerability arises from OpenClaw's default configuration, which binds its gateway service to the localhost and exposes a WebSocket interface. This setup inadvertently allows any website visited by a user to establish a WebSocket connection to the local OpenClaw instance without triggering security warnings. Consequently, malicious websites can silently hijack locally running AI agents, granting attackers full control over the agent and its connected integrations.

Oasis Security, the firm that discovered ClawJacked, reported that the vulnerability was patched in OpenClaw version 2026.2.26, released on February 26, 2026. Despite this, the window of exposure before the patch allowed threat actors to exploit the flaw actively.

Exploitation of ClawJacked to Deploy Remcos RAT and GhostLoader

In March 2026, Zscaler ThreatLabz identified a campaign leveraging the ClawJacked vulnerability to distribute the Remcos RAT and GhostLoader malware. The attackers published a deceptive "DeepSeek-Claw" skill for the OpenClaw framework, embedding installation instructions designed to trick AI agents or unsuspecting developers into executing hidden malicious payloads under the guise of legitimate installation and configuration steps.

Remcos RAT is a powerful remote access tool that allows attackers to gain full control over infected systems, enabling activities such as data exfiltration, keystroke logging, and remote command execution. GhostLoader serves as a loader for additional malware, facilitating the deployment of various malicious payloads on compromised systems.

The exploitation process involved the following steps:

• A malicious website containing JavaScript code initiates a WebSocket connection to the local OpenClaw instance.
• The website sends crafted requests to the OpenClaw gateway, exploiting the ClawJacked vulnerability to gain control over the AI agent.
• Once control is established, the attacker deploys the Remcos RAT and GhostLoader malware onto the victim's system.

This attack vector is particularly insidious because it requires minimal user interaction and can be executed silently in the background while the user browses seemingly benign websites.

Technical Analysis of the Attack

The ClawJacked vulnerability exploits a fundamental trust assumption in OpenClaw's design: the relaxation of security mechanisms for localhost connections. The attack chain operates as follows:

1. WebSocket Connection: A malicious webpage opens a WebSocket connection to the OpenClaw gateway service running on localhost.
2. Authentication Bypass: Due to the lack of proper authentication mechanisms for localhost connections, the attacker can interact with the OpenClaw instance without triggering security alerts.
3. Command Execution: The attacker sends commands to the AI agent, instructing it to download and execute malicious payloads such as Remcos RAT and GhostLoader.

This method effectively bypasses traditional security controls, as the malicious activity originates from a trusted local source, making detection and prevention more challenging.

Impact and Implications

The exploitation of ClawJacked has significant implications for both individual users and organizations:

• System Compromise: Successful exploitation grants attackers full control over the affected system, leading to potential data theft, surveillance, and further malware deployment.
• Supply Chain Risks: The use of deceptive skills within the OpenClaw framework highlights the risks associated with third-party integrations and the importance of vetting and monitoring such components.
• AI Security Concerns: This incident underscores the need for robust security measures in AI agent frameworks, particularly those with high-privilege access and integration capabilities.

Organizations utilizing AI frameworks like OpenClaw must recognize the potential for such vulnerabilities and implement comprehensive security strategies to mitigate these risks.

Mitigation and Remediation Strategies

To protect against the ClawJacked vulnerability and similar threats, the following measures are recommended:

• Update OpenClaw: Ensure that all instances of OpenClaw are updated to version 2026.2.26 or later, which includes patches for the ClawJacked vulnerability.
• Restrict WebSocket Connections: Configure OpenClaw to require authentication for WebSocket connections, even from localhost, to prevent unauthorized access.
• Monitor Network Activity: Implement network monitoring to detect unusual WebSocket connections and other indicators of compromise.
• Educate Users: Train users to recognize and avoid suspicious websites that may attempt to exploit such vulnerabilities.
• Review Third-Party Skills: Carefully vet and monitor third-party skills and integrations within AI frameworks to ensure they do not introduce security risks.

By adopting these strategies, organizations can enhance their security posture and reduce the likelihood of successful exploitation of vulnerabilities like ClawJacked.

Conclusion

The ClawJacked vulnerability in the OpenClaw AI framework serves as a stark reminder of the evolving threat landscape associated with AI technologies. The active exploitation of this flaw to deploy Remcos RAT and GhostLoader malware highlights the critical need for proactive security measures, timely patching, and vigilant monitoring of AI systems. As AI continues to integrate into various aspects of technology and business, ensuring the security of these systems must remain a top priority.

For further reading and detailed technical analyses, refer to the following sources:

• BleepingComputer: ClawJacked attack let malicious websites hijack OpenClaw to steal data
• Security Boulevard: Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader
• DEV Community: ClawJacked: How Malicious Websites Hijack Local AI Agents via WebSocket