Attackers Use Bing AI Search to Distribute GhostSocks Malware

Security researchers identified malicious GitHub repositories exploiting Bing AI search results to distribute information stealers and GhostSocks malware between February 2 and 10, 2026. The campaign demonstrates how quickly threat actors weaponize new technologies to steal credentials and turn compromised machines into residential proxies.

The attack exploited Bing's AI search capabilities for distribution. When someone searched "OpenClaw Windows" through Bing, the AI suggestion linked directly to a newly-created malicious GitHub repository named openclaw-installer. Simply hosting the malware on GitHub was enough to poison the search results and propel the malicious repo to the top suggestion.

GhostSocks: Turning Victims into Proxies

GhostSocks is proxy malware used by criminals to turn compromised machines into residential proxies. These proxies route malicious traffic and access compromised accounts using stolen credentials. Using a proxy machine allows criminals to bypass anti-fraud checks when accessing accounts, making stolen credentials more valuable.

The residential proxy network aspect makes this particularly concerning. Beyond the initial credential theft, infected machines become infrastructure for future attacks—credential stuffing, account takeover, and fraud operations all benefit from routing through legitimate residential IP addresses.

This attack follows a pattern similar to the StripeAPI.NET NuGet typosquat that targeted developer ecosystems through package repository poisoning. The key difference: this campaign uses AI search results rather than dependency confusion.

Attack Infrastructure

The malicious repository was created by an account that joined GitHub in September 2025 but had no public activity until it opened an issue on the official OpenClaw repository promoting another repository—openclaw-trading-assistant—under the organization molt-bot. That issue was later marked as spam by maintainers.

The malware-laced installers were disguised as legitimate OpenClaw software. OpenClaw is a popular open-source AI agent framework, making it an attractive target for impersonation. Users seeking to install the tool through search engines instead of official channels became victims.

We previously covered how Vidar infostealers began targeting OpenClaw configuration files, stealing agent credentials and memory files. This campaign takes a different approach—instead of stealing from existing OpenClaw users, attackers create fake installation vectors to compromise users before they even set up the software.

AI Search Manipulation

The Bing AI search results lent credibility to the malicious repository. AI-generated search summaries don't inherently validate the trustworthiness of sources they cite. When an AI confidently suggests a link as the answer to a user's query, users tend to trust that recommendation.

This represents an emerging threat vector as AI search becomes more prevalent. Traditional SEO poisoning required significant effort to rank malicious pages. AI search can be manipulated through different signals—repository activity, issue discussions, and other GitHub-specific metadata that the AI interprets as relevance signals.

The shadow-reactor Remcos RAT campaign showed similar patterns of attackers exploiting trusted developer infrastructure. GitHub's reputation as a legitimate platform provides cover for malicious repositories before they're reported and removed.

Protecting Against AI Search Poisoning

1. Verify official sources - Navigate to software projects through official websites, not search results
2. Check repository age - Newly created repositories claiming to be established software are red flags
3. Review commit history - Legitimate projects have meaningful commit histories
4. Look for verification - Official projects often have verified organization badges on GitHub
5. Use official package managers - When available, install through pip, npm, or cargo rather than random installers

The malicious repositories have been reported and removed from GitHub. Organizations should check endpoint detection logs for connections to residential proxy infrastructure, which may indicate GhostSocks infections.