The Soul of the Machine: Infostealers Pivot to Harvesting AI Agent Identities

Cybersecurity researchers have detected the first major shift in the "Infostealer" malware landscape, moving from simple password theft to the total exfiltration of AI agent identities. In a series of infections identified this week by Hudson Rock, a variant of the Vidar infostealer successfully harvested the "souls" and configuration files of OpenClaw (formerly Clawdbot and Moltbot) AI agents, giving attackers the keys to victims' digital assistants.

1. The Anatomy of the Theft: What Was Stolen?
The malware used a broad "file-grabbing" routine to sweep for directories named .openclaw. Instead of just grabbing browser cookies, the stealer exfiltrated three critical files that represent the agent's entire operational identity:

openclaw.json: This file acts as the "Central Nervous System." It contains high-entropy Gateway Tokens, the user's workspace path, and redacted email addresses.

device.json: This is the most severe loss. It stores the privateKeyPem and publicKeyPem. These cryptographic keys are used for secure pairing and signing operations; having them allows an attacker to "sign" commands as if they were the user's trusted device.

soul.md: This is the "Identity" file. It contains the agent’s core principles, behavioral guidelines, and personal context. Stealing this allows an attacker to clone the personality and knowledge of the victim's AI to orchestrate sophisticated social engineering attacks.

2. The Impact: Remote Takeover and Impersonation
With these files in hand, the threat actor doesn't just have a password—they have an authenticated session that bypasses standard security checks.

Remote Gateway Access: If the victim's OpenClaw port is exposed to the internet (which researchers say is true for over 42,000 instances), an attacker with the Gateway Token can connect remotely and issue shell commands directly to the host machine.

Impersonation: By using the stolen private keys, an attacker can send authenticated requests to the AI gateway, making it appear as though the legitimate user is requesting sensitive data or financial transactions.

Total Context Awareness: Because OpenClaw agents often have access to a user's local files, Slack, and email, the attacker gains immediate visibility into the victim's entire professional and personal life.

3. Context: The OpenClaw Security "Dumpster Fire"
The theft comes at a chaotic time for the OpenClaw project. Created by Peter Steinberger (who just joined OpenAI to lead their agentic efforts), the tool went viral in late January 2026 but has been labeled a "security nightmare" by firms like Gartner and Kaspersky.

Insecure Defaults: By default, OpenClaw often stores API keys and credentials in plaintext and ships without mandatory authentication.

The "ClawHub" Supply Chain: Over 340 malicious "skills" were recently discovered on the official repository, some of which were designed specifically to drop the very infostealers now harvesting configuration files.

Researcher Note: "This finding marks a significant milestone: the transition from stealing credentials to harvesting the identities of AI agents. As these agents become integrated into our workflows, infostealer developers will soon release dedicated modules specifically to parse and decrypt these files." — Alon Gal, CTO of Hudson Rock

4. Critical Protective Measures
If you are running a self-hosted instance of OpenClaw, security experts recommend immediate action:

Rotate All Credentials: If your config was exposed, assume all connected API keys (Anthropic, OpenAI, etc.) are compromised.

Bind to Localhost: Ensure your gateway is bound to 127.0.0.1 and never exposed directly to the public web.

Switch to Managed Hosting: Consider pre-hardened solutions like xCloud that handle patching and firewalling automatically.

Audit "Soul" Files: Check your soul.md and memory logs for any sensitive passwords that the agent may have "learned" and stored in plaintext.