Gh0stRAT Returns as "openclawAI": A Chinese Cybercrime Operation Riding the AI Hype Train
TL;DR: A Gh0stRAT campaign is using fake AI software -- "openclawAI" -- to deliver a 44MB Inno Setup dropper that disables all network adapters via PowerShell before deploying the Gh0stRAT payload to a C2 at 47[.]242[.]9[.]11 (Alibaba Cloud, Hong Kong). The phishing domain ai-openclaw[.]com[.]cn was registered just one day before the malware was submitted to MalwareBazaar, with a Let's Encrypt certificate issued the same day. The download server nmysq[.]top sits on Alibaba Cloud with a Hong Kong registrant. Kaspersky classifies the payload as Backdoor.Win32.Farfli -- the Chinese variant of Gh0stRAT. An import hash pivot connects this sample to an OffLoader variant distributed through the Amadey botnet, revealing either shared tooling or a commercial builder ecosystem. This is commodity Chinese cybercrime at speed: domain registered, cert issued, malware deployed, all within 24 hours.
AI-Themed Lures: The New Normal
It was only a matter of time. As AI tools dominate tech headlines and download charts, threat actors have noticed that "AI" in a filename is the new "free crack" in terms of click-through rates. This Gh0stRAT campaign disguises its dropper as "openclawAI" -- a name that sounds just plausible enough that someone searching for AI tools might download it without a second thought.
The sample arrived on MalwareBazaar on March 11, 2026, reported by CNGaoLing -- a Chinese researcher whose submission strongly suggests this campaign is targeting Chinese-speaking users. The dropper is a 44MB Inno Setup installer compiled with Delphi, wrapping a Gh0stRAT payload in enough legitimate-looking packaging to fool casual inspection.
But the interesting part is not the malware family -- Gh0stRAT has been around since 2001. The interesting part is the infrastructure speed and the connections hiding behind the import hash.
What Was Found vs. What Was Known
| Aspect | Prior Reporting | Our Findings |
|---|---|---|
| Delivery mechanism | Generic fake installers | AI-themed social engineering ("openclawAI") |
| Infrastructure age | N/A | Domain registered < 24 hours before deployment |
| Network evasion | Standard Gh0stRAT behavior | PowerShell kills ALL network adapters during install |
| C2 hosting | Various | Alibaba Cloud Hong Kong (47[.]242[.]9[.]11) |
| Toolchain links | Isolated Gh0stRAT samples | Shared imphash with Amadey-distributed OffLoader |
| Builder ecosystem | Unknown | Delphi/Inno Setup builder producing multiple malware families |
| Campaign pattern | N/A | Part of broader trend: fake Xshell, fake Cloudflare Tunnel, all Gh0stRAT |
| PDB path leak | N/A | D:\Coding\Is\issrc-build\Components\ChaCha20.pas reveals dev environment |
The Kill Chain: From Fake AI to Full Backdoor
[SEO poisoning / phishing site]
|
[ai-openclaw[.]com[.]cn — registered 2026-03-10]
|
[Redirect to download server]
|
[hxxps://www[.]nmysq[.]top/oss/usha/ope/openclawAI%207beAolenc[.]zip]
|
[Victim extracts and runs openclawAI 7beAolenc.exe (44MB Inno Setup)]
|
[PowerShell: Disable-NetAdapter -Name * -Confirm:$false]
|--- ALL network adapters disabled (defense evasion)
|
[Drops temp files to %LOCALAPPDATA%\Temp\is-*.tmp\]
|
[Installs to C:\Program Files (x86)\tiZpP\dKyjda\eABD\mjIG\tu5g\YUZ8.exe.exe]
|--- Randomized 6-deep directory path
|
[Gh0stRAT/Farfli beacon to 47[.]242[.]9[.]11]
|--- Full remote access: shell, keylogging, screen capture, file ops
The most notable behavioral trick is the PowerShell command executed during installation:
Disable-NetAdapter -Name * -Confirm:$false
This disables every network adapter on the victim's machine. Why would a dropper kill its own network connectivity? Two reasons. First, it prevents cloud-based AV engines from phoning home for real-time verdict checks during the critical installation window. Second, it prevents the victim from immediately noticing C2 traffic once connectivity is restored -- by the time they reconnect, the RAT is already installed and blends into normal traffic.
The installation path -- C:\Program Files (x86)\tiZpP\dKyjda\eABD\mjIG\tu5g\YUZ8.exe.exe -- uses randomized directory names five levels deep and a double .exe.exe extension. This makes manual discovery and path-based detection rules nearly useless.
The Dropper Under the Hood
| Property | Value |
|---|---|
| File Name | openclawAI 7beAolenc.exe |
| File Size | 44,533,614 bytes (44 MB) |
| File Type | PE32 executable (GUI) x86, Delphi/Borland |
| SHA-256 | 9ed5dc32d9ce2e7b49cd50141c15702bf2a21b769dd47ce32c460e41814fb055 |
| MD5 | 9c811bc7bfc124b3476cd11bb1834504 |
| Imphash | ac4ded70f85ef621e5f8917b250855be |
| Installer | Inno Setup 6.6.1 |
| Compile Time | 2025-11-19 |
| VT Detection | 12/76 (15.8%) |
The .rsrc section entropy of 7.59 (near-maximum of 8.0) confirms encrypted or compressed payload data. The PDB path D:\Coding\Is\issrc-build\Components\ChaCha20.pas is a gift -- it reveals the developer uses a build environment rooted at D:\Coding, with an Inno Setup source build (issrc-build) that includes a custom ChaCha20 encryption component. This is not a script kiddie downloading a builder. Someone has customized the Inno Setup source to add encryption.
Section names .itext, .didata, and .edata confirm Delphi/Borland compilation. The overlay data starting at offset 0xD6000 contains 43.6MB of Inno Setup compressed data -- the actual malware payload. An embedded PE was found at offset 0x0150998D: a 34KB PE32+ x64 binary, heavily obfuscated.
The Imphash Connection: Gh0stRAT Meets Amadey
The import hash ac4ded70f85ef621e5f8917b250855be links this sample to something unexpected:
| SHA-256 | File Name | Signature | First Seen |
|---|---|---|---|
9ed5dc32... | openclawAI 7beAolenc.exe | Gh0stRAT | 2026-03-11 |
2862dbcd... | file (8.9 MB) | OffLoader | 2026-03-10 |
The OffLoader sample was dropped by the Amadey botnet and distributed from hxxp://158[.]94[.]211[.]222/files/7782139129/4Qrxrgo.exe. Same Delphi compiler. Same Inno Setup framework. Same import hash.
Two different malware families -- Gh0stRAT and OffLoader -- sharing identical import structures means one of two things: either the same developer is building both, or both are outputs of the same commercial builder toolkit. The Amadey connection suggests the operator may be purchasing distribution through the Amadey botnet ecosystem, using it as a malware-as-a-service delivery channel while maintaining their own Gh0stRAT C2 infrastructure.
The Broader Gh0stRAT Campaign
A pivot on the Gh0stRAT tag in MalwareBazaar reveals a clear pattern:
| SHA-256 | File Name | First Seen | Lure Theme |
|---|---|---|---|
9ed5dc32... | openclawAI 7beAolenc.exe | 2026-03-11 | Fake AI software |
525b4900... | Glnstaller.exe | 2026-03-10 | Fake installer |
2199c2f7... | XshellA.zip | 2026-03-10 | Fake Xshell (SSH client) |
05c074c9... | A0sysMiaic_Jianq.exe | 2026-03-07 | Unknown |
e7ded2c5... | cloudflared_installer.exe | 2026-03-06 | Fake Cloudflare Tunnel |
Every recent Gh0stRAT sample masquerades as legitimate software. AI tools, SSH clients, network utilities. This is consistent with Chinese-language SEO poisoning campaigns -- where search results for popular software tools are manipulated to serve malicious download links. The victim searches for "Xshell download" or "Cloudflare Tunnel installer," clicks a top result, and gets Gh0stRAT.
Infrastructure: All Roads Lead to Alibaba Cloud
Phishing Domain
| Property | Value |
|---|---|
| Domain | ai-openclaw[.]com[.]cn |
| IP | 154[.]36[.]152[.]146 |
| ASN | AfriNIC (Mauritius allocation) |
| TLS Certificate | Let's Encrypt R13, issued 2026-03-10 |
The .com.cn TLD confirms Chinese-language targeting. The Let's Encrypt certificate was issued March 10 -- one day before the sample hit MalwareBazaar. The domain was registered, the cert was issued, and the campaign launched all within a 24-hour window. This is operational tempo that suggests either automation or a well-rehearsed playbook.
Download Server
| Property | Value |
|---|---|
| Domain | nmysq[.]top / www[.]nmysq[.]top |
| IP | 139[.]95[.]9[.]165 |
| ASN | AS45102 (Alibaba Cloud) |
| Registrar | Gname.com Pte. Ltd. (Singapore) |
| Registrant Country | Hong Kong |
| Domain Created | 2026-01-18 |
| Download URL | hxxps://www[.]nmysq[.]top/oss/usha/ope/openclawAI%207beAolenc[.]zip |
C2 Server
| Property | Value |
|---|---|
| IP | 47[.]242[.]9[.]11 |
| ASN | AS45102 (Alibaba Cloud) |
| Geolocation | Hong Kong |
| Open Ports | 22/tcp (OpenSSH 7.4) |
| VT Reputation | 0 (clean) |
All three infrastructure components -- phishing, download, C2 -- trace back to Alibaba Cloud or associated Asian hosting. The Gname.com registrar (Singapore-based, popular with Chinese operators) and Hong Kong registrant for nmysq[.]top further cement the Chinese nexus. Using a single cloud provider for everything makes operational management easier but creates a single point of failure for takedown.
OPSEC Failures
Six distinct failures give defenders purchase on this operation:
- PDB path retained --
D:\Coding\Is\issrc-build\Components\ChaCha20.pasreveals the development environment, custom crypto component, and build chain - Same imphash across campaigns -- Allows pivoting from Gh0stRAT to OffLoader and potentially more
- Let's Encrypt certificates -- Free and automated but logged in Certificate Transparency, providing timestamped evidence
- Single cloud provider -- All infrastructure on Alibaba Cloud makes coordinated takedown possible
- Obvious fake domain --
ai-openclaw.com.cnis a transparent typosquat that will not survive domain reputation scoring for long - Rapid deployment -- Domain-to-deployment in under 24 hours left timestamped breadcrumbs across DNS, CT logs, and MalwareBazaar
Detection
Endpoint
# PowerShell network adapter kill
Disable-NetAdapter -Name * -Confirm:$false
# Randomized deep install path pattern
C:\Program Files (x86)\<random>\<random>\<random>\<random>\<random>\*.exe.exe
# Imphash for campaign tracking
ac4ded70f85ef621e5f8917b250855be
Network
- Block C2 IP
47[.]242[.]9[.]11at perimeter - Block domains
ai-openclaw[.]com[.]cn,nmysq[.]top,www[.]nmysq[.]topin DNS - Block IPs
154[.]36[.]152[.]146,139[.]95[.]9[.]165at firewall - Monitor PowerShell logs for
Disable-NetAdapter -Name *
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Execution | User Execution: Malicious File | T1204.002 | Victim runs fake AI installer |
| Execution | PowerShell | T1059.001 | Disable-NetAdapter command |
| Defense Evasion | Masquerading | T1036.005 | "openclawAI" branding |
| Defense Evasion | Impair Defenses: Disable Network | T1562.004 | Kills all network adapters |
| Persistence | (Unknown) | — | Randomized install path suggests persistence mechanism |
| Privilege Escalation | Access Token Manipulation | T1134 | AdjustTokenPrivileges in imports |
| Command and Control | Application Layer Protocol | T1071.001 | HTTP/HTTPS to Alibaba Cloud C2 |
Indicators of Compromise
File Indicators
# Primary Dropper (Gh0stRAT/Farfli)
SHA256: 9ed5dc32d9ce2e7b49cd50141c15702bf2a21b769dd47ce32c460e41814fb055
SHA1: 93abb77fe7469267230152f0cb15b2345ffeff2d
MD5: 9c811bc7bfc124b3476cd11bb1834504
# Dropped temp files
SHA256: cc6960103883f5eebd761dff20b3168ce198c7b1bb2ae769e54edf7f06ed3092 (openclawAI tmp)
SHA256: 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95 (_setup64.tmp)
# Related OffLoader (Amadey-distributed, same imphash)
SHA256: 2862dbcdc9546ab145d444a68b8112ce79487a93bdb7c4b45dc6649b640516ce
Network Indicators
# C2 Server (defanged)
47[.]242[.]9[.]11 (Alibaba Cloud HK)
# Phishing Domain
ai-openclaw[.]com[.]cn (registered 2026-03-10)
154[.]36[.]152[.]146 (phishing IP)
# Download Server
nmysq[.]top / www[.]nmysq[.]top (Alibaba Cloud)
139[.]95[.]9[.]165 (download IP)
hxxps://www[.]nmysq[.]top/oss/usha/ope/openclawAI%207beAolenc[.]zip
# Related Amadey distribution
158[.]94[.]211[.]222 (OffLoader distribution)
hxxp://158[.]94[.]211[.]222/files/7782139129/4Qrxrgo.exe
TLS Certificates
# Phishing domain cert
CN: ai-openclaw.com.cn | Issuer: Let's Encrypt R13 | Issued: 2026-03-10
Serial: 06fd856725194fb0e09d79652b5656c4ea5a
# Download server certs
CN: www.nmysq.top | Issuer: Let's Encrypt R13 | Issued: 2026-01-18
CN: nmysq.top | Issuer: Let's Encrypt R12 | Issued: 2026-01-18
Recommended Actions
Immediate (24-48 hours)
- Block all listed IPs and domains at perimeter
- Deploy YARA rules for the dropper and its imphash cluster
- Search endpoints for
openclawAI,Disable-NetAdapter, or install paths matching the randomized pattern - Check PowerShell transcript logs for
Disable-NetAdapter -Name * -Confirm:$false
Short-Term (1-2 weeks)
- Submit abuse reports to Alibaba Cloud (
intl-abuse@list.alibaba-inc.com) for IPs47.242.9.11and139.95.9.165 - Submit abuse report to Gname.com (
complaint@gname.com) fornmysq[.]top - Request Let's Encrypt certificate revocation for the listed certificates
- Monitor for new samples with imphash
ac4ded70f85ef621e5f8917b250855be
Medium-Term (1-3 months)
- Monitor MalwareBazaar for new Gh0stRAT samples using fake software lures
- Track the Delphi/Inno Setup builder ecosystem for connections to other malware families
- Assess exposure to SEO poisoning campaigns targeting Chinese-language software searches
Published by Breakglass Intelligence. Investigation conducted 2026-03-11. A fake AI app. A 24-hour infrastructure sprint. A Chinese RAT from 2001 that refuses to retire. Classification: TLP:CLEAR