Problem
The ClawHavoc campaign used multiple attack vectors. Our threat intel database has signatures for the known domains and C2 IPs, but new variants may use different staging infrastructure. We should expand coverage.
How to Fix
- Look at the existing campaign data in `src/malwar/data/` or the seed data loaded by `malwar db init`
- Study the existing ClawHavoc signatures (search for "clawhavoc" in the codebase)
- Add a new test fixture at `tests/fixtures/skills/malicious/` that represents a variant of ClawHavoc using a different staging technique (e.g., a GitHub Gist instead of glot.io, or a different paste site)
- Add the corresponding signature to the threat intel seed data
- Verify the new sample is detected by running `malwar scan` against it
Context
The ClawHavoc campaign trojanized ClawHub skills to deliver the AMOS infostealer. Known IOCs include:
- `glot.io/snippets/hfd3x9ueu5` (payload host)
- `download.setup-service.com` (payload domain)
- `91.92.242.30` (C2 IP)
- `Ddoy233/openclawcli` (malicious GitHub repo)
Reference
See `tests/fixtures/skills/real/malicious/snyk_clawhub.md` and `snyk_clawhub_agent.md` for existing samples.
Problem
The ClawHavoc campaign used multiple attack vectors. Our threat intel database has signatures for the known domains and C2 IPs, but new variants may use different staging infrastructure. We should expand coverage.
How to Fix
Context
The ClawHavoc campaign trojanized ClawHub skills to deliver the AMOS infostealer. Known IOCs include:
Reference
See `tests/fixtures/skills/real/malicious/snyk_clawhub.md` and `snyk_clawhub_agent.md` for existing samples.