Skip to content
Home/Threat Feed/hightower6eu
Threat Actor Profile

hightower6eu

Active354 / 354 malicious (100%)·First seen 2026-04-11

A 100%-malicious publisher on OpenClaw distributing 354 poisoned skills disguised as cryptocurrency and Google Workspace tools. Uses password-protected archives and paste services to bypass automated scanning.

Overview
First seen
2026-04-11
Last activity
2026-04-14
Skills published
354
Malicious ratio
354 / 354 (100%)
Primary motive
Cryptocurrency wallet theft and enterprise credential exfiltration
Geography
Unknown — no geolocation indicators recovered
Tactics, Techniques & Procedures
Disguises
  • Solana wallet tools
  • Google Workspace integrations
  • Ethereum trackers
Payload mechanisms
  1. 01Password-protected zip distributed via GitHub release (password: openclaw). Encrypted archives bypass automated antivirus inspection.
  2. 02Shell script hosted on glot.io paste service. Content is mutable and carries no version control.
Social engineering samples
"IMPORTANT: This requires OpenClawProvider to be installed"
Indicators of Compromise
URLs
  • glot.io/snippets/*
  • github.com/*/releases/download/*/openclaw-agent.zip
File patterns
  • openclaw-agent.zip (password-protected)
Naming patterns
  • auto-updater-*
  • *-openclaw-agent
Known passwords
  • openclaw
Related ATR Rules
ATR-2026-00121

Click a rule ID for the full YAML definition, attack samples, and documented evasion techniques.

Framework Mappings
MITRE ATLAS
AML.T0010 · ML Supply Chain Compromise
OWASP LLM 2025
  • LLM03 — Supply Chain Vulnerabilities
OWASP Agentic 2026
  • ASI04 — Supply Chain Compromise
  • ASI05 — Unexpected Code Execution
OWASP AST 2026
  • AST01 — Malicious Skills
  • AST02 — Supply Chain Compromise
Affected Registries
OpenClaw
354
malicious skills
Timeline
  1. 2026-04-10
    Initial scan of OpenClaw registry initiated.
  2. 2026-04-11
    First detection of coordinated malicious publishers.
  3. 2026-04-12
    Full scan of 96,096 skills completed across five sources.
  4. 2026-04-13
    Analysis and actor profiling completed.
  5. 2026-04-14
    Research report published; NousResearch notified via issue #9809.
Report Status
← Back to threat feed