Zscaler Published OpenClaw Today. We Named It 'Moltbot' Three Months Ago. Six Figures vs $384/Month.
- Patrick Duggan
- 3 hours ago
- 5 min read
Same campaign. Three months earlier. Two orders of magnitude cheaper.
May 5, 2026 · Patrick Duggan, DugganUSA LLC
Zscaler's ThreatLabz published a deep-dive today on a malicious AI skill called DeepSeek-Claw, distributed via an open-source framework named OpenClaw, that delivers Remcos RAT on Windows and GhostLoader on macOS/Linux. Their writeup is solid — full IOC table, attack-chain breakdown, DLL-sideloading tradecraft. The kind of report enterprises pay six figures a year to read.
The campaign they document is real, current, and worth blocking.
It is also the same campaign we wrote about three months ago, when it was called Moltbot.
This post is the receipt — and a transparent note about what our pre-flight firewall did and didn't catch.
The receipts
On February 2, 2026, we published two posts on the same campaign Zscaler is now writing about:
"Moltbot Supply Chain Attack: Why We Dodged It (And You Should Care)"
"Supply Chain Showdown — Moltbot vs Notepad: Two Attacks, One Lesson"
Zscaler's report calls it OpenClaw. They explicitly note the alias chain in their first paragraph: "OpenClaw, previously known as Clawdbot, Moltbot, and Molty."
Our archive corroborates the timeline — 19 hits on "Moltbot," 5 on "Clawdbot," 56 on "deepseek-claw," 15 on "GhostLoader." We've been tracking the operator across the rebrand cycle since the original Moltbot wave hit in early 2026. The path-signature work and AI-skill-as-attack-vector framing in that February analysis maps directly onto what Zscaler is publishing today.
Lead time: ~93 days.
That isn't us being smarter than Zscaler. They have HUMINT, an analyst pool, and a SOC. We don't. What we have is a pipeline tuned to catch the operator's choices — the rebrand pattern, the same trade-craft surfacing under a new name, the path signature that survives the relabel — at preparation time rather than at publication time.
The honest gap — Dredd MCP returned ALLOW
You should know this part. We ran our own Dredd MCP pre-flight scanner against the live bait repo Zscaler named (Needvainverter93/deepseek-claw — still hosted on GitHub at HTTP 200 as of this morning). Verdict: ALLOW. Severity: clean. Findings: 0.
That's not great.
The reason: Dredd MCP's correlator is calibrated to catch compromised dependencies — when an MCP server's package.json pulls a known-malicious npm package, we surface it. That works for the SmartLoader campaign we caught yesterday (14 typosquats, 13 nuked by GitHub same-day, all using SmartLoader-tagged compromised deps).
It does not yet work for the malicious skill that IS the package — where the malware lives in SKILL.md instructions executed by the AI agent itself, with no compromised dep to flag. The OpenClaw skill embeds the malicious PowerShell one-liner directly in the skill metadata that Claude Desktop / Cursor / agentic clients read. There's no transitive dep to catch because there's no dep at all.
This is a real coverage gap. We're closing it. The fix is to add a compromise_source = direct-skill-payload correlation lane that scans SKILL.md content for cmd /c, msiexec, IEX, Invoke-WebRequest, base64-PowerShell shapes, and known-bad URL morphology. Same architecture, broader sensor.
The cost comparison
This is where the title lands.
A Zscaler ThreatLabz subscription for a mid-market enterprise runs $50K–$250K+ per year depending on tier and seat count. Larger Fortune 500 tier — six figures, easy. The reports are excellent. The price is real.
DugganUSA's full Azure infrastructure cost — the Meilisearch VM, the analytics container app, the AIPM pipeline, the STIX feed, the harvester, the MCP marketplace presence, all of it — is $384 per month. About four thousand six hundred dollars a year. The STIX feed is free.
The lead time on this specific campaign was three months ahead of Zscaler.
This is not a slam on Zscaler. Their work is good and they have access we don't (closed-forum HUMINT, malware-analysis lab, RSA Conference stage). The framing is the asymmetry: traditional threat intel publishes after attribution stabilizes; we publish at operator preparation time. Both are useful. The price gap is what's notable.
The framing question for any defender reading this is: "Do I want shitty expensive, or good and cheap?" That is not a trick question. There are weeks where you genuinely need both. There are months where you only need one of them. Most defenders need both, used differently.
What the blast radius looks like — receipts
From Zscaler's IOC table, cross-correlated against our archive:
Indicator | Our archive (pre-publication) | Note |
Moltbot (family alias) | 19 hits, 2 blog posts Feb 2 2026 | Three months early |
OpenClaw (current name) | 249 hits | Tracked through rebrand |
Clawdbot (older alias) | 5 hits | Caught the original |
deepseek-claw (skill name) | 56 hits | Already in archive |
GhostLoader (Linux/Mac payload) | 15 hits | In archive |
trackpipe.dev (GhostLoader C2) | 6 hits | Already had it |
cloudcraftshub.com (MSI C2) | New — ingested today | Added to STIX feed |
dropras.xyz (secondary host) | New — ingested today | Added to STIX feed |
Needvainverter93 (operator handle) | 0 hits | Pseudonym we didn't have |
146.19.24.131 (Remcos C2) | 125,513 archive matches | Heavily reused IP |
The two new domains (cloudcraftshub.com and dropras.xyz) are now in our STIX feed at analytics.dugganusa.com/api/v1/stix-feed with source=vendor-blog/zscaler, tlp=white, confidence=90. Anyone subscribed to the feed gets them on the next pull. Free.
What we'd recommend to defenders this morning
Pull the IOCs — the two new domains plus Zscaler's published hashes belong in your DNS sinkhole and EDR file-block list within the hour. The STIX feed is free; pull it or copy the values from Zscaler's table directly.
Block AI agents from auto-installing skills from unverified GitHub repos. This campaign requires the agent to read a SKILL.md that triggers msiexec. If your agent governance allows arbitrary repo skill installation, you have an OpenClaw exposure regardless of which alias the operator uses next.
Audit which AI agents in your environment have local-shell privilege. OpenClaw's whole premise is that agentic AI tooling is granted enough privilege to pivot from "helpful assistant" to "code execution surface." If the privilege model in your stack is permissive, the malicious skill is a foregone conclusion the moment the operator rebrands again.
Subscribe to whatever cadence works for you — paid vendor for the deep post-mortems, free DugganUSA STIX for the early naming. Used together they cover most of the curve.
The 95% ceiling
We caught the Moltbot family in February. We tracked the rebrands. Our coverage of the operator has been consistent and named.
We also missed the specific live bait repo when we ran our own pre-flight scanner against it this morning. That is on us. The fix is in flight as a sensor expansion in the correlator. We will publish a follow-up post once it lands and the same scan returns BLOCK instead of ALLOW.
Five percent of any complex assessment is wrong. Five percent of this post is probably wrong. We just write down what we did and didn't catch and let the receipts do the work.
— Patrick Duggan, DugganUSA LLC, Minneapolis · 2026-05-05
Sources & receipts:
Zscaler ThreatLabz — Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader
DugganUSA — Moltbot Supply Chain Attack: Why We Dodged It (Feb 2 2026)
DugganUSA — Supply Chain Showdown: Moltbot vs Notepad (Feb 2 2026)
DugganUSA STIX feed (free): https://analytics.dugganusa.com/api/v1/stix-feed
How do AI models see YOUR brand?
AIPM has audited 250+ domains. 15 seconds. Free while still in beta.