Infostealer malware is expanding beyond traditional browser and banking credential theft to target personal AI assistant environments.
Researchers at Hudson Rock recently identified a live infection in which attackers exfiltrated a victim’s OpenClaw configuration files, including authentication tokens, cryptographic keys, and stored contextual data used by the AI agent.
“While the malware may have been looking for standard ‘secrets,’ it inadvertently struck gold by capturing the entire operational context of the user’s AI assistant,” said the researchers.
Inside the OpenClaw File Exfiltration Attack
According to Hudson Rock’s analysis, the attackers did not use a specialized module designed specifically for OpenClaw.
Instead, the infostealer relied on a broad file-collection routine commonly found in commodity malware. These routines are built to scan infected systems for sensitive file extensions, stored credentials, and directories associated with valuable data.
In this case, the malware searched for directory names such as .openclaw and other high-value targets. That general sweep was sufficient to capture the victim’s entire OpenClaw workspace.
How the Infection Chain Unfolded
The infection chain itself was relatively straightforward.
Once executed on the victim’s machine, the infostealer scanned the local file system for commonly targeted data, including configuration files and cryptographic material.
When it identified the OpenClaw directory, it exfiltrated several critical components of the AI agent’s environment.
What Data Was Stolen from OpenClaw
Among the stolen files was openclaw.json, the agent’s primary configuration file.
This file contains core operational details, including the user’s email address, workspace path, and a high-entropy gateway.auth.token used to authenticate with the AI gateway.
With access to this token, an attacker could potentially impersonate the user in authenticated API requests or attempt remote access to the local OpenClaw instance if network ports are exposed.
The malware also extracted device.json, which stores the device’s public and private cryptographic keys (publicKeyPem and privateKeyPem).
These keys are used for secure pairing and message signing within the OpenClaw ecosystem.
Why the Stolen Data Creates Risk
The exposure of privateKeyPem represents the most serious risk.
Possession of the private key could allow an attacker to sign messages as the victim’s device, potentially bypassing “Safe Device” verification mechanisms and gaining access to encrypted logs or connected cloud services.
Essentially, this enables device-level impersonation.
In addition to tokens and keys, the attackers obtained contextual memory files such as soul.md, AGENTS.md, and MEMORY.md.
These documents define the AI agent’s behavioral parameters and store accumulated contextual data, which may include activity logs, internal notes, calendar entries, and other operational information.
While not authentication artifacts, these files provide insight into the user’s workflows and digital footprint, increasing the risk of follow-on attacks such as social engineering or targeted intrusion.
The attack required no exploit development or vulnerability chaining. The malware simply accessed and exfiltrated unprotected local files.
Mitigating AI Infostealer Risks
As AI assistants become more common in enterprise environments, organizations should treat their configuration files and supporting components as sensitive assets.
Authentication tokens, cryptographic keys, and stored contextual data can introduce risk if exposed.
Protecting these systems requires a layered security approach that includes strong identity controls, access management, monitoring, and well-defined incident response procedures.
- Encrypt AI configuration files at rest and, where possible, eliminate long-lived local secrets by using centralized secrets management and short-lived credentials.
- Regularly rotate authentication tokens and cryptographic keys, and use hardware-backed key storage to prevent private key extraction.
- Restrict AI gateway exposure through network segmentation, firewall controls, conditional access policies, and outbound traffic filtering to block unauthorized connections and exfiltration.
- Implement least privilege access controls, application allowlisting, and file integrity monitoring to limit and detect unauthorized access to AI workspace directories.
- Monitor for behavioral anomalies, unusual file access patterns, and suspicious outbound transfers using EDR, DLP, and AI activity baselining.
- Segment or sandbox AI workloads from general user environments to reduce the risk of cross-contamination from phishing or commodity malware infections.
- Develop, test, and regularly update AI-specific incident response plans that include procedures for key rotation, token revocation, forensic review of memory files, and recovery of compromised AI identities.
By implementing these measures, organizations can reduce the likelihood of AI configuration compromise and strengthen overall resilience against infostealer threats.
AI Assistants Become a New Target for Infostealers
The OpenClaw case reflects a gradual shift in attacker activity as AI assistants become more integrated into everyday business workflows.
Instead of relying on complex exploits, the infection shows how basic file exfiltration can expose authentication tokens, cryptographic keys, and stored contextual data tied to an AI environment.
With AI tools becoming more widely adopted across the enterprise, their configurations should be managed and protected using controls similar to those applied to other sensitive systems and privileged accounts.
As threats increasingly target identity, access, and sensitive configuration data, organizations are turning to zero-trust solutions to strengthen controls around users, devices, and AI.