Malware

Hologram

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1583.001DomainsEvidence1

The delivery chain begins at openclaw-installer.com, a convincing fake installer site... The site links to the GitHub organization openclaw-install/openclaw-installer ... which typosquats the legitimate OpenClaw project.

Execution

3 techniques

T1059.001PowerShellEvidence1

Once through the gates, Hologram decodes an embedded PowerShell payload (Base64 + XOR, key 44) and executes it.

T1204User ExecutionEvidence1

On execution, Hologram presents an installation GUI, including UAC elevation prompt framed as necessary for driver installation.

T1204.002Malicious FileEvidence1

Hologram is a two-wave Rust-based infostealer campaign distributed via a fake installer at openclaw-installer.com

Persistence

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

Persistence is pinned immediately: OneDriveSync.lnk in the system startup folder ensures the framework survives reboot...

Privilege Escalation

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

Persistence is pinned immediately: OneDriveSync.lnk in the system startup folder ensures the framework survives reboot...

Stealth

4 techniques

T1027Obfuscated Files or InformationEvidence1

Defender is killed in full... with every cmdlet name string-fragmented at runtime to defeat static PS1 detection rules.

T1027.002Software PackingEvidence1

hologram.yar : Yara rules to identify the Hologram/Pathfinder dropper, Stealth Packer implant, packed in-memory loader, and Telegram-bot dropper components

T1497Virtualization/Sandbox EvasionEvidence1

Before any malicious logic runs, the binary works through a multi-tier anti-VM check... VirtualBox BIOS strings, sandbox-associated DLLs, VM MAC prefixes, and blacklisted usernames abort execution immediately.

T1497.001System ChecksEvidence1

What passes that is still not enough: the dropper then waits for actual mouse movement before proceeding. Automated sandboxes do not move the mouse.

Credential Access

1 technique

T1555Credentials from Password StoresEvidence1

The manifest lists 250 browser extensions for credential theft: 201 crypto wallets ... and 49 password managers and 2FA authenticators.

Discovery

2 techniques

T1497Virtualization/Sandbox EvasionEvidence1

T1497.001System ChecksEvidence1

What passes that is still not enough: the dropper then waits for actual mouse movement before proceeding. Automated sandboxes do not move the mouse.

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence1

with staging via Azure DevOps and C2 relay through Hookdeck

T1102Web ServiceEvidence1

The operator abuses Azure DevOps, Telegram, and Hookdeck as infrastructure—legitimate services inside most enterprise allowlists. | The implant resolves its primary C2 domain from a Telegram channel description before any of the stage 2 modules run.

T1105Ingress Tool TransferEvidence2

The campaign uses a large padded Rust dropper, a post-exploitation implant (Stealth Packer), and Telegram-bot update droppers

Other

2 techniques

T1562Impair DefensesEvidence1

Defender is killed in full—six exclusion paths, cloud blocking off, behavior monitoring off.

T1562.004Disable or Modify System FirewallEvidence1

Firewall rules are opened inbound on ports 57001, 57002, and 56001—the exact ports the stage-2 framework will use.

INDICATORS OF COMPROMISE

IOCs tracked for this family

35 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

19 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

8 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

8 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in apptoday

domain●●●●●●●●●●●●View more in apptoday

domain●●●●●●●●●●●●View more in app1 day ago

domain●●●●●●●●●●●●View more in app1 month ago

uri●●●●●●●●●●●●View more in app1 month ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

netskope blogNews

May 7, 2026

OpenClaw's Hologram: Fake Installer Ships Rust Infostealer - Netskope

A Rust-based dropper delivered via a fake OpenClaw installer. It uses anti-VM and anti-sandbox checks, disables Defender protections, opens firewall ports, retrieves payloads and passwords from dead-drop infrastructure, and deploys a modular stage-2 framework aimed at credential theft from crypto wallet and password manager extensions.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching35

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.