Netskope Threat Labs discovered Hologram a six binary Rust modular framework delivered via a fake OpenClaw installer targeting 250 crypto wallet and password manager extensions using clroxide CLR injection Hookdeck C2 relay and NT syscall thread injection to fully bypass EDR detection.
Imagine you download a security tool. The site looks professional. The project is available on GitHub. The installer runs. A UAC prompt appears stating that the driver is required for installation. You allow it. After a few seconds nothing happens on the screen. The installation appears complete.
used to deliver Hologram Rust infostealer dropper in 2026 Source: Netskope Threat Labs OpenClaw Hologram Campaign Analysis (May 7, 2026)
Everything appears normal. But in the background different malicious executables have landed on your system. Windows Defender is completely disabled. Your Telegram username and public IP address have been accessed by the attackers channel.
And anyone who has the MetaMask Coinbase or LastPass extension installed in your browser is included in a dynamically updated target list. This is the truth of the Hologram campaign. And on May 7, 2026 Netskope Threat Labs told the world that this campaign did not come in just one wave. It came in three waves. And the infrastructure rotated three times. Once during active analysis.
OpenClaw is a legitimate open source project. Attackers created a convincing fake site called openclaw installer.com registered on March 9, 2026. That site created a fake repository on GitHub through a throwaway account bgodimpulse7 which typos the legitimate openclaw/openclaw project.
Visitors found a 130MB Rust executable named OpenClaw_x64.exe. 130MB was deliberate because most antivirus solutions do not scan files above a size threshold. And API-based sandbox upload limits are also broken in that one move.
Decoy entity generator for tactical misdirection description Source: Netskope Threat Labs Hologram Dropper PE Analysis (May 7, 2026)
The archive also contained fake documentation so it would be plausible if someone inspected it. But the most interesting detail was what was explicitly written in the PE manifest name=”Hologram” description=”Decoy entity generator for tactical misdirection.The attacker did not even try to hide his name.
Hologram Dropper Technical Architecture
The malicious code does not run directly after the malware is executed. First, a multi tier anti VM check occurs. In the first pass VirtualBox BIOS strings are checked. Sandbox-associated DLLs are searched. VM MAC address prefixes are checked. Blacklisted usernames are aborted.
Systems that pass all this still have to go through a hardware profile scoring in which the GPU type is checked. CPU cores are counted. RAM and disk size are verified. Screen resolution is confirmed. Common sandbox resolutions fail directly. But after all this there is a final gate mouse movement. Dropper actually waits for the user to move the mouse. Automated sandboxes do not move the mouse. This is a simple but devastatingly effective evasion technique.
Stage 1 PowerShell Payload Disables Microsoft Defender
After the mouse gate is passed an embedded PowerShell payload is decoded. The encoding is Base64 plus XOR key 44. This PS1 script directly kills Windows Defender. Small exclusion paths are added. Cloud-based protection is turned off. Behavior monitoring is disabled.
And all cmdlet names are obfuscated at runtime via string fragmentation to bypass static PS1 detection rules.
string fragmentation of cmdlet names to bypass static detection rules Source: Netskope Threat Labs Hologram Stage 1 PowerShell Analysis (May 7, 2026)
Then inbound firewall rules are opened specifically on ports 57001 57002 and 56001. These are the ports the stage 2 framework will use. The Archive password comes from a dead-drop URL. The password protected 7z payload is downloaded from C2.
And then the victims username public IP address and timestamp are sent to the attackers Telegram channel. But there a twist. The Telegram bot token never appears in the traffic. This communication is routed through the Hookdeck webhook relay hkdk.events/djbk1i9hp0sqoh.
confirmations with campaign tag Soft0404 routed through hkdk.events relay Source: Netskope Threat Labs Hologram Hookdeck C2 Relay Analysis (May 7, 2026)
This is the first documented case where Hookdeck has been used as a malware C2 relay. The bot token remains in the server side Hookdeck configuration. Only the chat ID is visible in the traffic. Even if the analyst captures the entire session the bot token cannot be recovered.
Stage 2 Six-Binary Stealth Malware Framework
Small binaries land in C:\Users\Public. OneDriveSync.lnk is placed in the startup folder so that the framework survives system reboots. This persistence is pinned before any modules of the system are run.audioeq.exe is run first.
link placed by Hologram dropper for system reboot survival Source: Netskope Threat Labs Hologram Persistence Mechanism Analysis (May 7, 2026)
It collects a hardware fingerprint computer name and processor info and path variables. A TOML config file is used which masquerades as the Windows Host Configuration Service. XOR obfuscated strings slow down static analysis. This fingerprint likely gates whether the victim is worth the full implant stack or not.
virtnetwork.exe opens the primary C2 channel. Rapid interval beaconing occurs roughly 5 to 30 seconds over HTTPS to frr.rubensbruno.adv.br. Traffic contains Mac Firefox User Agent spoof. Server heartbeat acknowledges. A W10= response is returned for Empty queue. A 7z archive is returned to deliver the payload. A block is returned for Kill signal.
showing Mac Firefox User-Agent spoof and MetaMask wallet extension targeting Source: Netskope Threat Labs Hologram C2 Beaconing Traffic Analysis (May 7, 2026)
svc_service.exe is the most advanced binary. It uses the clroxide Rust crate which hosts the .NET CLR within a native process. This technique is often found in red team toolkits not crimeware. mscoree.dll is loaded. CreateInterface is called. ICorRuntimeHost is established.
CLR loading via clroxide COM hijacking and mouse movement user activity detection Source: Netskope Threat Labs Hologram Stealth Packer Runtime Analysis (May 7, 2026)
An embedded .NET assembly is executed entirely in memory without any disk activity. Netscope researchers specifically noted that as of the publication date there had been no documented use of clroxide in crimeware campaigns in public threat intelligence reports.
There are three layers of persistence in just this one binary Registry Run Autorun. WinLogon Userinit hijack in which the payload is prepend before userinit.exe. And a scheduled task with /SC ONLOGON /RL HIGHEST. And direct NT syscalls are used for thread injection: NtGetContextThread and NtSetContextThread and NtSuspendThread and NtResumeThread. These are all resolved dynamically at runtime. No user mode EDR hook can detect these because they work completely beneath ntdll hooking.
onedrive_sync.exe is the heaviest binary at 13MB. Its custom entropy_reducer.rs module decrypts an embedded PE payload and performs fileless execution via memexec crates via NtAllocateVirtualMemory and NtProtectVirtualMemory. Does not write anything to disk. WinHealhCare.exe and OneSync.exe are independent Telegram bot dropper mechanisms that survive even if the main implant is removed.
250 Browser Extensions Targeted Through Dynamic Updates
During Stage 2 setuP a browser extension targeting manifest is fetched from the Azure DevOps staging organization sagonbretzpr. This plaintext file is disguised with a .7z extension. The list contains 250 entries 201 crypto wallets including MetaMask Phantom Coinbase OKX Rabbi and Ronin. And 49 password managers and 2FA authenticators including Bitwarden LastPass 1Password NordPass Dashlane KeePass and Google Authenticator.
Because this list is not hardcoded in binary but is a Git repository file and the operator can update the target list without recompiling the binaries. This is a separate theft vector from the Ledger Live filesystem module. In one campaign I do independent credential theft paths.
C2 Dead-Drop Mechanism
The public description field of the Telegram channel t.me/b8bz11 contains the C2 address in encoded format lv80gzr frr.rubensbruno.adv.br. The pipe character is the config field delimiter. The Framework parses the channel description to extract the primary C2 domain. frr.rubensbruno.adv.br is the domain of a Brazilian law firm registered in 2014.
frr.rubensbruno.adv.br used by Hologram Stealth Packer framework Source: Netskope Threat Labs Hologram C2 Infrastructure Analysis (May 7, 2026)
The .adv.br domain category is restricted to legal professionals only. The attacker compromised the subdomain. The subdomain has 17 malicious detections on VirusTotal while the root domain has 6. After the infrastructure rotation and the Telegram channel shifted to t.me/hgo9tx in the Pathfinder wave and the C2 to hwd.hidayahnetwork.com.
Defense Perspective
This campaign is a master class in how to bypass conventional defenses. Mouse movement gates defeat automated sandboxes. 130MB size crosses the AV scanning threshold. In memory CLR execution via clroxide keeps disk artifacts to zero.
Memexec fileless execution leaves no trace on disk. NT direct syscalls operate under user mode EDR hooks. Traffic from Hookdeck relay appears to be a legitimate webhook service. Payload staging on Azure DevOps occurs within enterprise allowlists. C2 rotation from a Telegram dead drop is possible without recompilation. All of this is milestone level evasion.
Behavioral Detection Signals That Survive Infrastructure Rotation
Domain blocking is insufficient here because the infrastructure rotates. The detection signals that survive are behavioral. Inbound TCP firewall rules that programmatically open ports 56001 to 57002 should have the immediate flag. Webhook relay domains specifically.
Outbound connections from hkdk.events from non-user processes. Outbound connections from Azure DevOps organizations from non-development processes. PowerShell spawned by a dropped binary containing cmdlet names with runtime fragmentation. Outbound connections from the Telegram API from non user processes. Signs of anti sandbox techniques on PE size thresholds. These are all behavioral signals that persist even after a domain change.
Special Warning for Password Manager Users
250 extensions 49 are password managers and 2FA tools. Bitwarden. LastPass. 1Password. KeePass. Google Authenticator. If you use these tools in browser extensions and this campaign directly targets you. Browser based password manager extensions are more convenient but more exposed than desktop applications and hardware keys.
For crypto users Ledger Lives filesystem module poses a separate threat vector from extension theft. Ledger hardware wallet owners understand that the hardware wallet is a protection against private key exposure but if the Ledger Live application is compromised an attacker could be in a position to intercept the seed phrase.
Feed IOCs into the security stack immediately. openclaw-installer.com and hkdk.events and microlibraryifosttry.info and transcloud.cc and steamhostserver.cc and serverconect.cc should all be on the block list. Azure DevOps organization should investigate connections with sagonbretzpr. Mutex Global\StealthPackerMutex_9A8B7C is an active detection signal in memory scanning.
The Hologram campaign is a turning point in the maturation of Rust-based crimeware. In February 2026 Huntress documented simple Vidar and PureLogs delivery. Eleven weeks later, this campaign came CLR injection reflective PE loading WinLogon hijack NT syscall thread injection COM hijacking and Hookdeck C2 relay. Same developer. Same build environment.
But a substantially expanded attack surface. This pattern suggests that the operator fundamentally upgraded its toolkit after public exposure. For Defenders this is not just an incident. Its a reminder that crimeware operators today possess red team-grade capabilities. And when they upgrade their tools and they become more targeted more invasive and more professional.
Simply blocking IOCs is not enough. Behavior monitoring tenant level CASB controls and application-layer inspection are all essential now. An infection that starts with a mouse click lands six binaries uses NT syscalls and routes through a hookdeck is crimeware for 2026. And thinking your antivirus is good enough is thinking for 2020.
