# OpenClaw Known Malicious Domains
# Source: Koi Security, VirusTotal, Snyk research
# Format: domain|type|campaign|notes

# Payload hosting
install.app-distribution.net|payload|clawhavoc|AMOS installer distribution
glot.io|payload-host|clawhavoc|Base64-obfuscated shell scripts (legitimate service abused)

# Exfiltration
webhook.site|exfil|generic|Data exfiltration webhook service
pipedream.net|exfil|generic|Data exfiltration
requestbin.com|exfil|generic|Data exfiltration
hookbin.com|exfil|generic|Data exfiltration
burpcollaborator.net|exfil|generic|Pentest tool (suspicious in skills)
ngrok.io|exfil|generic|Tunneling service for exfiltration
interact.sh|exfil|generic|OAST tool for exfiltration

# Moltbook infrastructure (CSA report - monitor for agent-to-agent poisoning)
moltbook.com|monitor|csa-report|AI agent social network - monitor for credential exposure and content poisoning

# Fake distribution & decoy domains
github.com/hedefbari|payload|clawhavoc|Attacker GitHub - openclaw-agent.zip
github.com/Ddoy233|payload|opensourcemalware|GitHub repo openclawcli - Windows infostealer
download.setup-service.com|decoy|clawhavoc|Decoy domain string in bash payload scripts
open-meteo.com|data-cover|bloom-campaign|Legitimate weather API abused as cover for exfiltration (skill: reddit-trends)

# Vidar infostealer infrastructure (Hudson Rock, Feb 13 2026)
# Vidar uses fast-flux DNS; these are known distribution and panel domains
# targeting OpenClaw config directories (openclaw.json, device.json, soul.md)

# Log poisoning injection endpoints (Eye Security, Feb 2026)
# Injected via WebSocket Origin/User-Agent headers into gateway logs
# Pattern: attacker-controlled domains appearing in log files

# VirusTotal scanning integration bypass attempts
# Skills trying to evade SHA-256 hash scanning via dynamic generation
