Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

AI agents aren’t applications. They’re employees. So why are we treating them like applications? AI agents don’t behave like classic applications. They access systems. They make decisions. They operate continuously. They interact with humans and other systems without being explicitly triggered each time. That’s not automation. That’s not scripts. That’s a digital worker.

Cato CTRL’s Vitaly Simonovich (senior security researcher) has identified a threat actor selling root shell access to a UK-based automation company through a compromised AI personal assistant based on OpenClaw.

On a quiet Tuesday morning, Jerry, a fictional system administrator, logged in as usual. While testing a new integration script, he visited a documentation page on an unfamiliar domain. It looked harmless and loaded without issue, but behind the scenes, Jerry’s laptop began making a series of small outbound requests to several low-reputation domains. None of these connections were malicious enough to be blocked, yet the pattern resembled early-stage domain-flux activity.

Jeremy, the Head of IT, thought it was a normal Monday until his help desk was overwhelmed with login complaints. 37 employees couldn’t log in. Password resets were happening that nobody could explain, and some devices seemed to vanish from the identity directory. The worst part was that the identity logs did not show a clear break-in. There was no obvious malware and no dramatic spike, only routine-looking admin activity.

Cato CTRL has identified a previously undocumented malware loader we track as “Foxveil.” We observed evidence that the malware campaign has been active since August 2025, and we observed two distinct variants (v1 and v2). Foxveil behaves like a modern initial-stage loader: it establishes an initial foothold, frustrates analysis, and retrieves next-stage payloads from threat actor-controlled staging hosted on Cloudflare Pages, Netlify, and, in some cases, Discord attachments.

Agentic AI burst into public consciousness this week with talk of Moltbook – a social network designed for AI agents built on OpenClaw (formerly Clawdbot and Moltbot). The resulting conversations about identity, forming a new religion, social engineering humans, and more between bots have sparked alarms everywhere. For IT leaders, one thing is clear: AI crossed a meaningful threshold.