LuaJIT trojan

Each malicious ZIP package contains three items: a batch file called Launch.bat, a renamed LuaJIT runtime named unc.exe, and an obfuscated Lua script hidden as license.txt.

Four registry writes disable Windows proxy auto-detection, pushing outbound traffic past corporate inspection layers.

The most technically distinctive part of this campaign is the way its payload is split to avoid detection... a renamed LuaJIT runtime named unc.exe, and an obfuscated Lua script hidden as license.txt. When either file is submitted to an automated scanner on its own, it appears harmless.

The attack centers on a convincingly built GitHub repository — AAAbiola/openclaw-docker — that impersonates a Docker deployment tool for the legitimate OpenClaw AI project. The repository features a polished README with installation instructions for both Windows and Linux, a companion GitHub.io page, and real contributors.

Once both pieces are armed, the payload runs through five anti-analysis checks — scanning for debugger presence, low RAM, short system uptime, elevated privilege access, and specific computer names. If anything looks like a sandbox, execution stops.

Once both pieces are armed, the payload runs through five anti-analysis checks — scanning for debugger presence, low RAM, short system uptime, elevated privilege access, and specific computer names.

If not, a Sleep() call kicks in for roughly 29,000 years, long enough to outlast any timed analysis window.

Once both pieces are armed, the payload runs through five anti-analysis checks — scanning for debugger presence... If anything looks like a sandbox, execution stops.

Four registry writes disable Windows proxy auto-detection, pushing outbound traffic past corporate inspection layers.

Once both pieces are armed, the payload runs through five anti-analysis checks — scanning for debugger presence, low RAM, short system uptime, elevated privilege access, and specific computer names. If anything looks like a sandbox, execution stops.

Once both pieces are armed, the payload runs through five anti-analysis checks — scanning for debugger presence, low RAM, short system uptime, elevated privilege access, and specific computer names.

If not, a Sleep() call kicks in for roughly 29,000 years, long enough to outlast any timed analysis window.

Once both pieces are armed, the payload runs through five anti-analysis checks — scanning for debugger presence... If anything looks like a sandbox, execution stops.

Every victim machine is geolocated the moment execution begins, and a full desktop screenshot is captured and sent to a C2 server in Frankfurt, Germany.

The payload then captures the full desktop and uploads it via a hardcoded multipart POST to the Frankfurt C2 server, which responds with encrypted task and loader blobs saved to the victim’s Documents folder.

The payload then captures the full desktop and uploads it via a hardcoded multipart POST to the Frankfurt C2 server, which responds with encrypted task and loader blobs saved to the victim’s Documents folder.