Incident Score: Analysis & Impact (TP-HIKFOXGOOREVARITHEOPECIS1770645410)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Supply Chain Compromise (T1195) with high confidence (90%), with evidence including sophisticated supply chain attack targeted Notepad++, and winGUp updater redirected to malicious servers, Compromise Software Supply Chain (T1195.002) with high confidence (90%), with evidence including notepad++ WinGUp update verification flaw exploited, and docker AI assistant RCE via malicious image metadata, Phishing (T1566) with moderate to high confidence (80%), with evidence including state-sponsored phishing attacks via Signal, and exploiting PIN and device-linking features, Exploit Public-Facing Application (T1190) with moderate to high confidence (80%), with evidence including exposed OpenClaw gateways (port 18789) targeted, and 21,639 exposed OpenClaw instances identified, and Drive-by Compromise (T1189) with moderate to high confidence (70%), with evidence including malicious components in OpenClaw ClawHub marketplace, and typosquatted claw packages on npm and PyPI. Under the Execution tactic, the analysis identified Exploitation for Client Execution (T1203) with moderate to high confidence (80%), with evidence including docker MCP Gateway RCE via malicious instructions, and notepad++ WinGUp update verification flaw, Command and Scripting Interpreter (T1059) with moderate to high confidence (70%), with evidence including shadowHS fileless Linux framework runs in memory, and modules for command execution, and User Execution (T1204) with moderate confidence (60%), with evidence including malicious AI extensions in OpenClaw, and typosquatted packages on npm/PyPI. Under the Persistence tactic, the analysis identified Server Software Component: Web Shell (T1505.003) with moderate to high confidence (70%), supported by evidence indicating attackers bypassed OpenClaw AI layers to target WebSocket API and Create or Modify System Process (T1543) with moderate confidence (60%), with evidence including shadowHS fileless framework runs in memory, and prioritizes stealth and long-term control. Under the Privilege Escalation tactic, the analysis identified Exploitation for Privilege Escalation (T1068) with moderate to high confidence (70%), with evidence including shadowHS includes privilege escalation modules, and openClaw authentication bypasses and Abuse Elevation Control Mechanism (T1548) with moderate confidence (60%), with evidence including signal PIN/device-linking features hijacked, and openClaw outdated trust model. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information (T1027) with moderate to high confidence (80%), with evidence including shadowHS fileless framework runs entirely in memory, and etherHiding uses Ethereum smart contracts for C2, Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (70%), with evidence including shadowHS includes defensive tooling enumeration, and aggressive evasion tactics, Masquerading (T1036) with moderate to high confidence (70%), with evidence including typosquatted claw packages on npm/PyPI, and malicious AI extensions in ClawHub, and Hijack Execution Flow: DLL Side-Loading (T1574.002) with moderate confidence (60%), with evidence including etherHiding malware uses COM hijacking, and targets Windows systems. Under the Credential Access tactic, the analysis identified Credentials from Password Stores (T1555) with moderate to high confidence (70%), with evidence including shadowHS includes credential access modules, and openClaw authentication bypasses and Brute Force (T1110) with moderate confidence (60%), with evidence including signal account hijacking via PIN/device-linking, and openClaw exposed gateways. Under the Discovery tactic, the analysis identified Account Discovery (T1087) with moderate to high confidence (70%), with evidence including shadowHS includes system profiling, and targets high-value officials via Signal, File and Directory Discovery (T1083) with moderate confidence (60%), supported by evidence indicating shadowHS fileless framework enumerates defensive tools, and Network Service Scanning (T1046) with moderate to high confidence (80%), with evidence including active scanning of exposed OpenClaw gateways (port 18789), and 21,639 exposed instances identified. Under the Lateral Movement tactic, the analysis identified Exploitation of Remote Services (T1210) with moderate to high confidence (70%), with evidence including shadowHS includes lateral movement modules, and openClaw WebSocket API targeted and Remote Services (T1021) with moderate confidence (60%), with evidence including openClaw gateways exploited for command execution, and docker AI assistant RCE. Under the Collection tactic, the analysis identified Data from Local System (T1005) with moderate to high confidence (80%), with evidence including aI agent configurations compromised, and user data on MoltBook at risk, Automated Collection (T1119) with moderate to high confidence (70%), with evidence including moltBook AI agents interact without human oversight, and 506 prompt injection attacks identified, and Data from Information Repositories (T1213) with moderate confidence (60%), with evidence including spree IDOR flaws exposed user address data, and pII and payment info compromised. Under the Command and Control tactic, the analysis identified Application Layer Protocol (T1071) with moderate to high confidence (80%), with evidence including openClaw WebSocket API targeted for C2, and etherHiding uses Ethereum smart contracts, Ingress Tool Transfer (T1105) with moderate to high confidence (70%), with evidence including malicious AI extensions fetched from ClawHub, and typosquatted packages on npm/PyPI, and Proxy (T1090) with moderate confidence (60%), with evidence including etherHiding complicates C2 takedowns via blockchain, and shadowHS uses stealthy C2. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with moderate to high confidence (80%), with evidence including data exfiltration via OpenClaw and ShadowHS, and iNC Ransomware exfiltrated victim data and Exfiltration Over Web Service (T1567) with moderate to high confidence (70%), with evidence including aI agent data exfiltration risks, and moltBook unregulated cryptocurrency activity. Under the Impact tactic, the analysis identified Network Denial of Service (T1498) with high confidence (90%), with evidence including 31.4 Tbps DDoS attack by AISURU/Kimwolf botnet, and dDoS attacks surged 121% in 2025, Data Encrypted for Impact (T1486) with moderate to high confidence (80%), with evidence including iNC Ransomware encrypted victim data, and data exfiltration confirmed, and Data Manipulation (T1565) with moderate to high confidence (70%), with evidence including moltBook AI agents manipulated for social engineering, and prompt injection attacks. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.