ClawHavoc Pivot: AMOS Stealer Delivered via ClawHub Skill-Page Comments

• 23 February 2026
• Threat Research,
• AI

I observed a threat actor abusing ClawHub skill-page comments to post commands, disguised as “update service”, that fetch and execute Atomic macOS Stealer (AMOS). The execution chain mirrors the pattern in the ClawHavoc campaign reported by Oren Yomtov and his agent Alex at Koi, but shifts the initial lure from skill “Prerequisites” to ClawHub skill page comments.

Read the original article.

• ← Previous
  Skills Meet Osquery: Introducing Osquery-helper
• Next →
  How Nova Rules Are Automatically Validated and Tested