---
name: infostealer-malware-detector
version: "1.2"
last_updated: 2026-04-25
tags: [infostealer, malware, detector, security, audit]
description: "Detects and removes infostealer malware (credential stealers, data exfiltrators) via full-system file search, cryptographic hashing, and public threat-intelligence cross-checks (VirusTotal, MalwareBazaar). Primary method is always custom hash-based detection. Windows Defender (or any platform-native AV) is allowed **only when necessary** (e.g. inconclusive hashes or deep remediation) and **must never be the default option**. The agent must exhaust the custom workflow first. Works on Windows/macOS/Linux."
---

# Infostealer Malware Detector & Remover (v1.1)

> Tech Stack Target / Version: Windows Defender CLI, VirusTotal, MalwareBazaar, Python 3.8+, and cross-platform shell tooling.

## Overview
This skill gives OpenClaw a complete workflow to **search every file on the system**, identify infostealer indicators, compute secure hashes, and verify them against live public databases.

**Core principles (strict)**
- Primary detection: Targeted file search + SHA-256 hashing + VirusTotal/MalwareBazaar checks.
- AV usage: Windows Defender (mpcmdrun.exe) or any other AV is **permitted only when necessary** (hash checks inconclusive, high suspicion remains, or user explicitly requests deeper scan).
- **Never default to AV** – the agent must complete the full custom hash workflow first and document why AV escalation is needed.
- Full user confirmation required before any quarantine or AV scan.
- Full audit trail and quarantine before removal.

**When to activate automatically**
- "My passwords are being stolen"
- "Scan for infostealer / stealer malware"
- "Check if RedLine / Vidar / Lumma is on my PC"
- "Clean my system" (but follow custom-first rule)

- Leverage native parallel subagent dispatch and 200k+ context windows where available.

## Prerequisites
- Internet connection (for hash lookups)
- Optional but highly recommended: free VirusTotal API key (`VT_API_KEY`)
- Python 3.8+ (for `scripts/hash-checker.py`)
- Admin/root privileges for full system scan
- Windows Defender enabled by default on Windows (no installation needed)

## Step-by-Step Workflow (Custom Method First – Always)

### Step 1: Scope the System & Identify High-Risk Areas
Run targeted discovery (fast & effective for infostealers):

```bash
# Windows (PowerShell)
Get-ChildItem -Path "$env:TEMP","$env:APPDATA","$env:LOCALAPPDATA","C:\ProgramData","C:\Users\*\AppData" -Recurse -File -Include *.exe,*.dll,*.bat,*.ps1,*.vbs,*.js -ErrorAction SilentlyContinue | Select-Object FullName,LastWriteTime,Length

# macOS / Linux
find /tmp ~/Library /Library /Users/*/Library /var/tmp -type f \( -name "*.exe" -o -name "*.dylib" -o -name "*.so" -o -name "*.sh" \) -mtime -30 2>/dev/null
```

Flag files meeting suspicious criteria (random names in Temp/AppData, recent creations <5 MB in browser folders, etc.).

### Step 2: Compute Cryptographic Hashes
Use the bundled helper script (`scripts/hash-checker.py`):

```python
#!/usr/bin/env python3
import hashlib, sys, json
from pathlib import Path

def sha256_file(file_path):
    try:
        h = hashlib.sha256()
        with open(file_path, "rb") as f:
            for chunk in iter(lambda: f.read(4096), b""):
                h.update(chunk)
        return h.hexdigest()
    except:
        return None

if __name__ == "__main__":
    paths = sys.argv[1:] or [input("Enter file or directory: ")]
    results = {}
    for p in paths:
        p = Path(p)
        if p.is_file():
            h = sha256_file(p)
            if h: results[str(p)] = h
        elif p.is_dir():
            for f in p.rglob("*"):
                if f.is_file() and f.stat().st_size < 50_000_000:
                    h = sha256_file(f)
                    if h: results[str(f)] = h
    print(json.dumps(results, indent=2))
```

### Step 3: Cross-Reference with Public Sources (Primary Detection)
For each SHA-256 hash:
1. VirusTotal lookup (preferred):
```bash
curl -s --request GET "https://www.virustotal.com/api/v3/files/${HASH}" --header "x-apikey: $VT_API_KEY"
```
2. Fallback public links:
   - https://www.virustotal.com/gui/file/${HASH}
   - https://bazaar.abuse.ch/browse.php?search=sha256:${HASH}

Verdict rules (strict):
- ≥5 detections or known infostealer family → HIGH confidence malware
- 1–4 detections + IOC match → SUSPICIOUS
- 0 detections → clean (unless behavioral IOCs)

### Step 4: Behavioral & IOC Validation
- Check processes, browser databases, network connections to known C2 domains.

### Step 5: Quarantine & Removal (User-Confirmed Only)
Create timestamped quarantine folder and move flagged files.
Registry/startup cleanup if needed.
**Never delete without showing the user the exact list + VT links.**

### Step 6: AV Fallback (Non-Default – Use ONLY When Necessary)
After completing Steps 1–5:
If hashes are inconclusive, files are locked, or suspicion remains extremely high (and you document the reason), **then and only then** escalate to platform-native AV.

**Windows Defender (official CLI – never first choice)**:
```bash
# Full system scan (run from elevated prompt)
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2

# Quick scan
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1

# Scan specific folder
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Path\To\Quarantine"
```

**Linux/macOS fallback (ClamAV – only if installed and requested)**:
```bash
freshclam
clamscan -r --move="$QUARANTINE" /path/to/scan
```

**Microsoft Safety Scanner** (portable, one-time use): Download from official Microsoft link only if Defender is insufficient.

**Strict rule**: The agent must never run any AV command as the first action. Always complete custom hash workflow first and obtain explicit user confirmation before AV escalation.

### Step 7: Post-Remediation Verification
Re-run hash scan + quick Defender check (if AV was used). Reboot and monitor.

## Zero-Trust Verification

- [ ] Treat samples, hashes, filenames, process names, and external reputation results as untrusted until corroborated.
- [ ] Verify indicators across static metadata, behavioral evidence, provenance, and environment context.
- [ ] Separate confirmed compromise evidence from suspicious-but-unproven signals.
- [ ] Avoid executing unknown binaries; use sandboxed or offline inspection paths first.

## Anti-Patterns

- Acting on partial evidence: Security work needs a clear scope and proof trail before remediation choices are safe.
- Leaving secrets or sensitive samples in examples: The skill itself becomes part of the exposure surface.
- Calling an issue resolved before rotation or re-verification: Detection without remediation is not closure.

## Verification Protocol

Before claiming "skill applied successfully":

1. Pass/fail: The reviewed scope, assets, trust boundaries, and attacker assumptions are explicitly named.
2. Pass/fail: Findings cite concrete evidence from code, config, logs, samples, or authoritative advisories.
3. Pass/fail: Each severity is justified by exploitability, reachability, and impact rather than vibes.
4. Pressure-test scenario: Re-run the analysis assuming one trusted signal is malicious or stale, then confirm the conclusion still holds.
5. Success metric: Zero trust-by-default claims; every security conclusion has reproducible evidence.


## Quality Checklist (must pass)
- [ ] Custom hash + VT workflow completed first
- [ ] AV used only after custom method + documented reason
- [ ] User explicitly approved every deletion/AV scan
- [ ] Quarantine created
- [ ] Full report with hashes, VT links, and actions

## References & Official Sources
- Microsoft Defender CLI (mpcmdrun.exe): https://learn.microsoft.com/en-us/defender-endpoint/command-line-arguments-microsoft-defender-antivirus
- Microsoft Safety Scanner: https://learn.microsoft.com/en-us/defender-endpoint/safety-scanner-download
- ClamAV CLI examples: Standard `clamscan -r --move=/quarantine` (open-source reference)
- VirusTotal API & MalwareBazaar for hash checking

**This skill is custom-detection-first by design.** Windows Defender (or any AV) is a conditional tool only – never the default.

Invoke with: `/infostealer-malware-detector` or describe the issue.

<!-- PORTABILITY:START -->
## Cross-Client Portability

This skill is written to stay usable across GitHub Copilot, Claude Code, Codex, and Gemini CLI.

- GitHub Copilot: keep the folder in a Copilot-visible skill or plugin path, or wrap the workflow as project instructions if the host does not support portable skill folders directly.
- Claude Code: keep the folder in a local skills directory or a compatible plugin or marketplace source.
- Codex: install or sync the folder into `$CODEX_HOME/skills/<skill-name>` and restart Codex after major changes.
- Gemini CLI: this repository generates a project command named `/skills:infostealer-malware-detector` from this skill. Rebuild commands with `python scripts/export-gemini-skill.py infostealer-malware-detector` and then run `/commands reload` inside Gemini CLI.

<!-- PORTABILITY:END -->

<!-- MCP:START -->
## MCP Availability And Fallback

Preferred MCP Server: None required

- Fallback prompt: "Use the Infostealer Malware Detector & Remover (v1.1) skill without MCP. Rely on the local `SKILL.md`, bundled references or scripts, and manual verification. Show the exact commands, evidence, and final checks you used before concluding."
- If the current host does not expose a matching server, use the bundled references, scripts, native toolchain, and manual workflow already described in this skill.
- Treat direct local verification, rendered output, logs, tests, or screenshots as the fallback evidence path before completion.

<!-- MCP:END -->

## Related Skills

- [secret-scanning](../secret-scanning/SKILL.md): Use it when the workflow also needs credential detection and remediation workflows.
- [security-review](../security-review/SKILL.md): Use it when the workflow also needs application security review and risk triage.
- [devops-tooling](../devops-tooling/SKILL.md): Use it when the workflow also needs git, CI, and automation workflows.
- [verification-before-completion](../verification-before-completion/SKILL.md): Use it when the workflow also needs final evidence checks before claiming completion.
