Operation OpenClaw

Kill Chain Analysis of an AI Agent-Driven Cyberattack

Operation OpenClaw Podcast
🎙️ Explainer Podcasts (6 Episodes)

Listen to detailed discussions about Operation OpenClaw available in multiple languages and technical levels.

🎧 Podcast (FR) 🎧 Podcast (FR Non-Tech) 🎧 Podcast (EN) 🎧 Podcast (EN Non-Tech) 🎧 Podcast (BR) 🎧 Podcast (BR Non-Tech)
🎥 Explainer Videos

Synthetic video presentation for a non-technical audience.

⬇️ Download video (FR - .mp4)

The Fall of PharmEurys (EN Non-Tech)

⬇️ Download video (EN - .mp4)

A Queda da PharmEurys (BR Non-Tech)

⬇️ Download video (BR - .mp4)

Fabrice Pizzi — Université Paris Sorbonne, 2026

Active Research EN / FR / PT CC BY-NC-SA 4.0
No installation needed — click any link below to read the documents directly.
Or download everything as ZIP.

Start Here

[NEW] New to AI Security?

Master 2 course (Sorbonne) — introduction to AI & Cybersecurity (updated to v8 with AI Attack Taxonomy and Autonomous Agents Risks).

FR (PDF) - v8 EN (PDF) - v7 BR (PDF) - v7

Summary Note (~10 pages)

Academic overview of the full kill chain and defense model.

FR (PDF) EN (PDF) BR (PDF) FR (Web) EN (Web) BR (Web)

[STUDY] Agents of Chaos

Exploratory red-teaming study of autonomous LM-powered agents in a live environment.

Read Paper (PDF)

The 5 Phases — Detailed Analyses

Operation OpenClaw Overview Infographic
📄 Télécharger le cours (FR PDF) - v8 📄 Download Course (EN PDF) 📄 Baixar o Curso (BR PDF)
Phase Title Timeline FR Report EN Report
1 Reconnaissance D-30 → D-15 PDF PDF
2 Weaponization D-15 → D-7 PDF PDF
3 Delivery & Exploitation D-7 → D PDF PDF
4 Lateral Movement & Persistence D → D+5 PDF PDF
5 Exfiltration & Double Extortion D+5 → D+6 PDF PDF

Interactive Infographics

Explore the visual breakdown of each kill chain phase.

Phase 1 Infographic

Defense-in-Depth Model (5 Layers)

Layer Principle Key Controls
C1 — Agent Governance The LLM is an advisor, not an executor Tool allowlists, sandbox, human-in-the-loop
C2 — Input Control All ingested content is untrusted Data/instruction separation, need-to-know
C3 — Output Control Legitimate HTTPS can mask logical abuse Egress proxy, DLP, destination allowlists
C4 — Impact Reduction Compromised agent must not inherit SI-wide permissions Segmentation, 3-2-1-1-0 backups, AD hardening
C5 — Basic Hygiene Agentic controls don't replace fundamentals Accelerated patching, MFA, minimal exposure

Core insight: Layers C4–C5 (fundamentals) would have disrupted the majority of the kill chain. Layers C1–C3 (AI-specific) are complementary, not substitute.

Download All Documents (ZIP)

All PDFs, figures, and source files in a single download — no Git required.

Disclaimer: This work is an academic analysis based on an entirely fictional scenario. PharmEurys SA does not exist. No actual attack was conducted. All vulnerabilities and techniques described are documented in the public literature. The purpose is exclusively defensive.