Fake OpenClaw installer campaign steals crypto wallets and password manager data

An active multi-wave infostealer campaign distributes a Rust-based dropper called 'Hologram' through a convincing fake OpenClaw installer (openclaw-installer.com), targeting credentials from over 250 crypto wallet extensions and 49 password managers. The fraudulent site was registered March 9, 2026, hosted on a Chinese Alibaba-registered domain. The dropper uses bloated 130MB size to evade AV scanning, disables Microsoft Defender via embedded PowerShell payload, and opens inbound firewall ports. A third wave rotated all infrastructure during analysis, adding Vidar infostealer as stage-2 payload.