Tactical Misdirection: The “Hologram” Malware Framework Hijacking AI Enthusiasts

Netskope Threat Labs has recently uncovered a sophisticated, multi-wave campaign that has evolved from a simple credential stealer into a “red-team-grade” modular implant framework.

Targeting users searching for OpenClaw—a popular open-source AI project—the attackers are deploying a dropper whose manifest boldly declares its purpose: “Hologram – Decoy entity generator for tactical misdirection”.

The speed at which this threat actor is “retooling” is alarming. A first wave documented in February 2026 was relatively straightforward, delivering Vidar and PureLogs via a fake installer. However, the second and third waves, dubbed Hologram and Pathfinder, represent a massive jump in complexity.

The new framework features high-end evasion and persistence techniques, including:

• Advanced Injection: The use of CLR injection, reflective PE loading, and NT syscall thread injection.
• System Hijacking: The malware actively targets WinLogon and COM hijacking to maintain deep-seated persistence.
• Novel Tools: This campaign marks the “first documented use of clroxide in a crimeware campaign”.

As the researchers noted, “Eleven weeks after that report, this campaign arrived with CLR injection, reflective PE loading, WinLogon hijacking, NT syscall thread injection, COM hijacking, and a Hookdeck C2 relay. None of it previously attributed to this operator in prior public reporting.”

The operators behind Hologram are not just technically skilled; they are operationally disciplined. They have built their attack chain using legitimate services that are likely already on most enterprise “allowlists,” making detection via network filters nearly impossible.

The malware abuses Azure DevOps for payload hosting, Telegram for dead-drop C2 (Command and Control) resolution, and Hookdeck as a novel C2 relay.

During Netskope’s active analysis, the threat actor demonstrated their agility by completing a full infrastructure rotation. This third wave, tracked as Pathfinder, swapped primary C2 domains and moved its dead-drop URLs to new platforms.

The rotation also introduced new stage-2 binaries:

• vicloud.exe: Confirmed as the Vidar infostealer.
• dbau.exe: A newly arrived binary that was not yet recognized by major malware databases at the time of publication.

Despite the high-end technical “Holograms” used for misdirection, the campaign’s ultimate goal is financial theft. The modular framework is “all pointed at stealing credentials from over 250 crypto wallet and password manager extensions”.