Back to Blog
CRITICAL THREATActive ExploitationSupply Chain Risk
15 min read
SOC Prime Bias: Critical

The Moltbot / ClawdBots Epidemic:
AI Assistant Security Crisis

Hundreds of Moltbot instances found exposed to the internet with unauthenticated admin ports. Credential theft, supply-chain attacks via skill poisoning, and infostealer targeting create a perfect storm for enterprise compromise.

100s
Exposed Instances
Plaintext
Credential Storage
Supply
Chain Attack Vector
3+
Infostealer Families
TL;DR — Executive Summary

The Threat

  • AI assistant with weak/missing authentication exposed to internet
  • Credentials stored in plaintext Markdown and JSON files
  • Skill library vulnerable to supply-chain poisoning attacks
  • Targeted by RedLine, Lumma, Vidar infostealers

Immediate Actions

  • Require strong authentication for all Moltbot services
  • Close or firewall admin ports (default: 8080)
  • Enable encryption-at-rest for stored secrets
  • Vet, sign, and pin skills from the library

What is Moltbot / ClawdBot?

Moltbot (formerly branded as ClawdBot) is an AI personal assistant designed to operate through popular messaging platforms like WhatsApp and Telegram. It provides users with AI-powered assistance for various tasks, from answering questions to executing automated workflows through its extensible "skill" system.

Platform Characteristics

Messaging Integration

WhatsApp, Telegram bots

Skill Library

Extensible via ClawdHub

Admin Interface

HTTP console (port 8080)

Data Storage

Local Markdown/JSON files

While the concept of AI assistants accessible via messaging apps is appealing for convenience, the security posture of many Moltbot deployments has been found to be severely lacking, creating significant enterprise risk.

Critical Security Issues Identified

1. Unauthenticated Admin Ports

Researchers discovered hundreds of Moltbot instances exposing unauthenticated admin ports to the internet. The default HTTP console on port 8080 often lacks any authentication, allowing anyone to access administrative functions.

[+] Moltbot started listening on 0.0.0.0:8080 — "exposed to the web"

2. Plaintext Credential Storage

User credentials and secrets are written to plaintext Markdown and JSON files. This makes them trivial targets for commodity infostealers like RedLine, Lumma, and Vidar that specifically scan for credential files.

~/.moltbot/credentials.md
~/.moltbot/config.json

3. Supply-Chain Skill Poisoning

The skill library (ClawdHub) can be poisoned with malicious skills. A proof-of-concept attack demonstrated uploading a malicious skill that achieved remote command execution on all downstream users who installed it.

Attack chain: Malicious skill → ClawdHub → User installation → RCE

4. Unsafe Proxy Configurations

Many deployments were found with unsafe proxy configurations that could be leveraged to pivot through the network, exfiltrate data, or establish persistent backdoor access.

Threat Actor Capabilities

By exploiting these vulnerabilities, threat actors gain significant capabilities:

Steal Secrets

API keys, passwords, tokens from plaintext storage

Exfiltrate Code

Access and steal source code repositories

Deploy Backdoors

Repurpose the assistant as persistent access

C2 Operations

Use as command-and-control infrastructure

Infostealers Targeting Moltbot Credentials

Because Moltbot stores secrets in plaintext files, it has become a target for commodity infostealers that automatically scan for and exfiltrate credential files:

RedLine Stealer

Widely distributed MaaS that targets browser data, crypto wallets, and now Moltbot configs.

Lumma Stealer

Modern infostealer with extensive file-grabbing capabilities targeting plaintext secrets.

Vidar Stealer

Popular stealer-as-a-service known for credential harvesting from various applications.

Detection Rules & Indicators

SOC Prime has released multiple Sigma rules for detecting Moltbot-related activity:

Possible Moltbot (formerly Clawdbot) Installation Attempt (via proxy)
Possible Moltbot (formerly Clawdbot) Installation Attempt (via file_event)
Possible Moltbot (formerly Clawdbot) Installation Attempt (via dns)
Possible Moltbot (formerly Clawdbot) Installation Attempt (via cmdline)
Detection of Moltbot Instances Exposed to the Web [Webserver]

Simulation Script

The following PowerShell script simulates Moltbot deployment for detection testing:

moltbot-simulation.ps1
powershell
# ----------------------------------------------------
# Moltbot Exposure Simulation – PowerShell
# ----------------------------------------------------
# 1. Create a temporary directory
$tempDir = "$env:TEMP\MoltbotSim"
New-Item -ItemType Directory -Force -Path $tempDir | Out-Null

# 2. Simulate downloading a Moltbot executable (placeholder)
$molExe = "$tempDir\moltbot.exe"
Invoke-WebRequest -Uri "https://example.com/moltbot.exe" \
  -OutFile $molExe -UseBasicParsing

# 3. Run Moltbot with default (exposed) settings
$proc = Start-Process -FilePath $molExe \
  -ArgumentList "--listen 0.0.0.0:8080" \
  -PassThru -WindowStyle Hidden

Write-Host "[+] Moltbot started (PID: $($proc.Id)) on 0.0.0.0:8080"

# 4. Wait for service registration in logs
Start-Sleep -Seconds 5

# 5. Simulate external connection
Try {
    Invoke-WebRequest -Uri "http://$($env:COMPUTERNAME):8080" \
      -UseBasicParsing -TimeoutSec 5
    Write-Host "[+] External HTTP request sent to Moltbot UI."
} Catch {
    Write-Warning "[-] Unable to reach Moltbot UI."
}

# 6. Cleanup
Stop-Process -Id $proc.Id -Force
Remove-Item -Recurse -Force $tempDir
Write-Host "[+] Simulation completed and cleaned up."

Mitigation Strategies

Access Control

Require strong authentication for all Moltbot services
Close or firewall admin ports (default: 8080)
Never expose the assistant directly to the internet
Implement IP allowlisting for admin access

Data Protection

Enable encryption-at-rest for stored secrets
Sandbox or containerize the runtime environment
Restrict filesystem access to minimum required
Implement secrets management (Vault, AWS Secrets Manager)

Supply Chain Security

Vet all skills before installation
Sign and pin skills from the library
Consider disabling skill feature if ungovernable
Monitor for unauthorized skill installations

Monitoring & Response

Alert on open admin ports and unauth access attempts
Monitor for unexpected command execution
Watch for outbound connections to unknown C2 domains
Scan hosts for credential-stealing malware

Incident Response Playbook

If Compromise is Confirmed:

  1. 1
    Isolate the affected system immediately
  2. 2
    Revoke all exposed credentials and API keys
  3. 3
    Audit all skill installations for malicious content
  4. 4
    Validate integrity of stored configuration files
  5. 5
    Check for lateral movement indicators
  6. 6
    Redeploy Moltbot with hardened security settings
  7. 7
    Implement continuous monitoring going forward

Research Attribution

This analysis is based on threat intelligence from SOC Prime's Threat Detection Marketplace and research published by their threat research team.

SOC Prime PlatformThreat Detection Marketplace

Protect Your Infrastructure

Use PROXIES.SX mobile proxies to test your security posture from different network perspectives. Identify exposed services before threat actors do.

Test Your ProxiesGet Mobile Proxies

Related Security Research

Stealth Browser MCP

AI-powered browser automation with CDP-based controls

MCP Server for AI Agents

42 tools for AI-powered proxy infrastructure management

Back to Blog