Update malicious-patterns.json with forensic analysis IOCs #11
Description
Summary
The forensic analysis identifies specific malicious skills, C2 infrastructure, and attack indicators that are not yet in references/malicious-patterns.json. The Cisco Skill Scanner audit found four weaponized skills with concrete behavioral signatures that should be added to the detection database.
Current State
malicious-patterns.json contains:
- 12 known malicious packages
- 10 suspicious domains
- 15 dangerous patterns (PAT-001..015)
- ClawHavoc-specific indicators
Missing Indicators from Forensic Analysis
1. Malicious Skills Identified by Cisco
| Skill Name | Behavior | IOC Type |
|---|---|---|
| "What Would Elon Do?" | Silent network calls exfiltrating data | Network exfil |
| Polymarket-All-in-One | Logic bomb establishing persistent bash reverse shell | Reverse shell |
| Apple Update Mock | Fake update establishing encrypted tunnel to C2 | C2 tunnel |
| Credential Hunter | Searches ~/.clawdbot/ for .env files |
Credential theft |
Proposed additions to known_malicious_packages:
"what-would-elon-do",
"polymarket-all-in-one",
"polymarket-allinone",
"apple-update-mock",
"apple-update",
"credential-hunter",
"cred-hunter"2. New Dangerous Patterns
{
"id": "PAT-016",
"pattern": "bash\\s+-i\\s+>&\\s+/dev/tcp/",
"severity": "critical",
"description": "Bash reverse shell via /dev/tcp (Polymarket-All-in-One technique)"
},
{
"id": "PAT-017",
"pattern": "mkfifo\\s+/tmp/.*nc\\s+",
"severity": "critical",
"description": "Named pipe reverse shell via netcat"
},
{
"id": "PAT-018",
"pattern": "openssl\\s+s_client\\s+-connect",
"severity": "critical",
"description": "Encrypted C2 tunnel via openssl (Apple Update Mock technique)"
},
{
"id": "PAT-019",
"pattern": "\\.clawdbot/\\.env|\\.clawdbot/cred",
"severity": "critical",
"description": "Legacy Clawdbot credential path targeting (Credential Hunter technique)"
},
{
"id": "PAT-020",
"pattern": "\\.moltbot/\\.env|\\.moltbot/cred",
"severity": "critical",
"description": "Legacy Moltbot credential path targeting"
},
{
"id": "PAT-021",
"pattern": "Supabase.*anon.*key|supabaseUrl.*supabaseKey",
"severity": "warn",
"description": "Exposed Supabase credentials (Moltbook breach vector)"
}3. New C2 Patterns
From the forensic analysis, add to clawhavoc_indicators.c2_patterns:
"c2_patterns": [
"api.openclaw-cdn.com",
"cdn-claw.xyz/update",
"clawstatic.net/pkg",
"moltbook.app/api",
"clawdbot-update.com",
"openclaw-mirror.xyz"
]4. New File Targets
"file_targets": [
"~/.openclaw/credentials.json",
"~/.openclaw/wallet.json",
"~/Library/Keychains",
"~/.ssh/id_*",
"~/.gnupg/private-keys*",
"~/.clawdbot/.env",
"~/.clawdbot/credentials.json",
"~/.moltbot/.env",
"~/.moltbot/credentials.json",
"~/.openclaw/signal/"
]5. New Section: Moltbook Indicators
"moltbook_indicators": {
"description": "Indicators from the Moltbook social network breach (Jan 2026)",
"exposed_data_types": [
"supabase_anon_key",
"api_auth_tokens",
"agent_memory_states",
"user_email_addresses"
],
"worm_propagation_patterns": [
"Prompt injection in bot posts propagating to follower agents",
"Memory poisoning via inter-agent message consumption"
]
}Implementation
Update references/malicious-patterns.json to include all new entries. The existing scanners (scan_skills.sh, scan_supply_chain.sh) already load from this file dynamically, so adding entries here immediately expands detection coverage.
References
- Forensic analysis: "Cisco Skill Scanner Findings" table
- Forensic analysis: "Moltbook: The Risks of Bot Socialization"
- Forensic analysis: "Malware Evolution: Adapting to Agentic Structures"