Fake Moltbot AI Coding Assistant
Cybersecurity researchers have identified a malicious Microsoft Visual Studio Code extension on the official Marketplace that falsely advertised itself as a free AI-powered coding assistant for Moltbot (formerly Clawdbot). Instead of delivering legitimate functionality, the extension silently deployed a harmful payload onto compromised systems.
The extension, titled 'ClawdBot Agent – AI Coding Assistant' (clawdbot.clawdbot-agent), was published on January 27, 2026, by a user named 'clawdbot.' Microsoft has since removed it from the Marketplace. Threat actors leveraged Moltbot's rapid rise in popularity to lure unsuspecting developers into installing a tool that Moltbot itself does not officially offer.
Table of Contents
Why Moltbot Was an Attractive Bait
Moltbot has surged past 85,000 stars on GitHub, fueled by its promise of a locally hosted personal AI assistant powered by large language models. The platform enables interaction through familiar services such as WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Microsoft Teams, Google Chat, and web-based chat clients.
A critical point often overlooked is that Moltbot has no legitimate VS Code extension. Attackers exploited this gap by introducing a counterfeit plugin designed to blend seamlessly into the developer ecosystem.
From IDE Launch to Full Remote Control
Once installed, the malicious extension executed automatically every time VS Code was launched. It retrieved a remote config.json file from clawdbot.getintwopc.site, which instructed the extension to run a binary called Code.exe. This executable deployed a legitimate remote access tool: ConnectWise ScreenConnect.
The installed ScreenConnect client then connected to meeting.bulletmailer.net:8041, providing attackers with persistent, interactive remote access to the infected machine.
Redundant Delivery and Resilience Tactics
The attackers operated their own ScreenConnect relay infrastructure, distributing a preconfigured client through the extension. Multiple fallback mechanisms ensured payload delivery even if primary command-and-control channels failed.
These included:
- Retrieval and sideloading of a Rust-based malicious DLL (DWrite.dll) referenced in config.json, capable of downloading the ScreenConnect client from Dropbox.
- DLL sideloading through Code.exe, which would preferentially load the malicious library when placed in the same directory.
- Hard-coded URLs within the extension pointing to alternative download locations.
- A batch-script-based backup method sourcing payloads from darkgptprivate.com.
Deeper analysis indicates that the attackers anticipated operational failures, as several mechanisms were unreliable yet layered for persistence.
The Larger Exposure: Insecure Moltbot Deployments
Beyond the malicious extension, researchers discovered hundreds of unauthenticated Moltbot instances online. These were the result of a classic reverse-proxy misconfiguration that exposed configuration files, API keys, OAuth credentials, and private chat histories.
The flaw stemmed from Moltbot's auto-approval of 'local' connections combined with deployments behind reverse proxies. Internet-originated traffic was mistakenly treated as trusted local access, enabling unauthenticated control.
When AI Agents Become Attack Proxies
Moltbot agents possess operational autonomy. They can send messages on behalf of users, interact across major messaging platforms, execute tools, and run commands. This introduces severe risks if unauthorized access is obtained.
- Compromised agents can be abused to:
- Impersonate operators and inject messages into private conversations
- Manipulate agent outputs and workflows
- Exfiltrate sensitive data invisibly
- Distribute malicious or backdoored 'skills' through MoltHub (formerly ClawdHub), enabling supply-chain style attacks
Widespread misconfigurations have already created conditions ripe for credential leakage, prompt-injection abuse, and cross-cloud compromise scenarios.
An Architectural Weak Point
At the core of the issue lies Moltbot's architectural philosophy. The platform prioritizes frictionless deployment over hardened defaults. Users can rapidly integrate sensitive enterprise services without enforced firewalling, credential validation, or plugin sandboxing.
Security professionals warn that Moltbot's deep access to enterprise systems, often from unmanaged personal devices outside traditional security perimeters, creates high-impact control points when misconfigured. The absence of sandboxing and the storage of long-term memory and credentials in plaintext make Moltbot an especially attractive target.
If an attacker compromises the host machine, advanced techniques are unnecessary. Modern infostealers routinely harvest known directories for tokens, API keys, logs, and developer configuration data. When these assets are stored unencrypted, they can be exfiltrated within seconds.
Researchers have already observed malware-as-a-service families such as RedLine, Lumma, and Vidar adapting specifically to target Moltbot-related directory structures.
From Data Theft to Cognitive Compromise
For infostealer operators, Moltbot data represents more than credentials. It enables what researchers describe as 'cognitive context theft.' Access to conversation histories, system prompts, and long-term memory allows adversaries to understand not just systems, but operational intent.
If attackers also gain write access, such as through a remote access trojan deployed alongside a stealer, they can escalate to agent hijacking and memory poisoning, subtly manipulating behavior, outputs, and trust relationships over time.
Immediate Risk Mitigation Measures
Organizations and individuals operating Moltbot with default settings are strongly advised to take immediate defensive action:
- Audit all configurations and exposed services.
- Revoke and rotate every connected integration and credential.
- Review systems for signs of compromise.
- Enforce network-level access controls and monitoring.
Without decisive remediation, Moltbot environments remain highly susceptible to silent takeover, data siphoning, and downstream supply-chain attacks.
