Cybercriminals exploited Moltbot’s reputation to distribute malware to an unknown number of unsuspecting users, although the attack was fortunately detected and neutralized quickly.
Moltbot is an open-source personal AI assistant that runs locally on a user’s computer or server instead of in the cloud. It allows users to interact with large language models (LLMs) and automate a wide range of tasks. However, because the software runs locally with deep access to the system, some security experts have urged caution, warning that misconfigurations could expose sensitive data and create opportunities for hacking attempts.
Originally known as Clawdbot, the project was recently renamed to avoid trademark disputes and has since become one of the most popular AI tools of its kind, with more than 93,000 stars on GitHub at the time of writing. Even so, its website is currently flagged as dangerous.
Cybercriminals impersonated Moltbot
Despite its rapid rise in the AI assistant space, Moltbot still did not have an official extension for Microsoft Visual Studio Code (VS Code).
Some cybercriminals took advantage of that gap by publishing an extension called “ClawBot Agent – AI Coding Assistant.” While the extension appeared to work as advertised, it secretly contained a fully operational trojan, according to security researchers at Aikido. The malware was delivered through a modified version of a legitimate remote desktop solution.
In reality, the attackers could likely have achieved similar results through typosquatting, but being the only apparent option available on the official extension marketplace clearly made their job easier.
A polished trap designed to look legitimate
What made the malware especially dangerous was the effort put into making it look legitimate. According to Aikido, it featured a professional-looking icon, a polished interface, and integration with seven different AI providers, including OpenAI, Anthropic, Google, Ollama, Groq, Mistral, and OpenRouter.
“The layering is impressive,” Aikido explained. “There is a fake AI assistant that installs legitimate remote access software configured to connect to the attackers’ infrastructure. On top of that, there is a backup loader written in Rust that downloads the same payload from Dropbox, disguising it as a Zoom update, all hidden inside a folder renamed to look like a screenshot application. Each layer adds more confusion for defenders trying to protect their systems.”
