Moltbot Unmasked: A Global Deployment Analysis

mDNS Discovery, Internet-Facing Control Interfaces, and Open Directory Leakage

Analysis conducted between Jan 26th and 28th, 2026 and references are as "Clawdbot" prior to name change

Moltbot, a framework designed for distributed automation and autonomous agent orchestration, has seen rapid adoption in both experimental and operational settings. However, its growth has also introduced security challenges tied to deployment hygiene, network exposure, and misconfiguration.

Before any attacker logs in, sends a packet, or touches a control panel, many Moltbot deployments already give themselves away.

Across thousands of instances, Moltbot nodes were observed publicly broadcasting internal hostnames, filesystem paths, service ports, and operational roles via multicast DNS (mDNS). In several cases, this initial exposure led directly to internet-accessible control panels and, more critically, open directories containing messaging platform identity artifacts capable of enabling full agent impersonation.

Key Findings

• mDNS Broadcasts Leak Extensive Operational Metadata: Moltbot instances routinely expose far more information via multicast DNS than operators expect.

  
  

• Global Exposure Spans 53 Countries, with High Density in the U.S.: Geographic analysis shows an uneven, but global distribution of exposed instances.

  
  

• Only a Fraction of mDNS‑Discovered Hosts Expose Public Control Panels: Of 1,487 hosts announced Moltbot services via mDNS, 88 had accessible Web Control Panel and only 66 of them had both mDNS and the Web Control Panel accessible at the same time.

  
  

• Open Directory Listings Reveal High Severity Credential Leakage: Several hosts exposed open directories containing sensitive artifacts such as, Signal, Telegram, and WhatsApp identity files, registration secrets and operational metadata from Moltbot deployments.

Research Scope and Objectives

This research was conducted to answer three core questions:

1. How discoverable are Moltbot instances via mDNS?

2. How often do locally discoverable instances also expose internet facing control panels?

3. What categories of sensitive data are exposed through misconfigured web servers and open directories?

Analysis

mDNS Enumeration

Multicast DNS (mDNS) enumeration revealed that Moltbot instances frequently broadcast far more operational metadata than operators typically realise. While mDNS is often assumed local-only by design, in practice it exposes a detailed fingerprint of the underlying system to any host sharing that segment.

During scanning with Modat Magnify, Moltbot service advertisements were observed broadcasting:

• The full hostname of the machine running the gateway

• The Clawdbot Control interface port (mostly 18789)

• The SSH port in use

• Internal filesystem paths, including execution paths for process managers

• LANvisible IP addresses (both IPv4 and IPv6)

• Operational roles and transport metadata

This is not limited to benign metadata such as the service name, it includes system‑level operational details that materially expand the attack surface. To any external observer on the local network (workplace Wi‑Fi, coffee shop, co‑working space, hotel network, university network, etc.), the Moltbot deployment essentially self-announces its internal structure.

Below is a real example of how a single Moltbot instance appears when discovered via mDNS on port 5353, as captured by Modat Magnify. This information alone is sufficient to guide an attacker toward viable access paths without requiring further probing.

Overall, mDNS serves as both a discovery beacon and a metadata leak vector, providing attackers with reconnaissance data before any interaction with the control interface occurs.

The map below shows that observed exposure is unevenly distributed, with concentrations in a limited number of countries and sparse visibility across large geographic regions.

Infrastructure distribution reveals heavy concentration in DigitalOcean as the primary hosting infrastructure followed by AWS, OVH and other small providers.

All identified mDNS hosts were subsequently evaluated for service availability on TCP port 18789, the default port used by the Clawdbot Control web interface. Few are announcing other ports.

The diversity of exposed ports suggests inconsistent deployment practices rather than deliberate hardening, often increasing visibility without meaningfully improving security.

To verify their exposure, we analysed the ports announced via mDNS and checked if the Control Panel is accessible via these ports. Out of the 1,487, only 88 are publicly accessible as of 28 of Jan 2026.

Web Panel Exposure

To assess the real world visibility of Moltbots control interfaces, we used Modat Magnify to collect and aggregate all publicly discoverable web panels associated with Moltbot deployments over HTTP.

The panels discovered through Magnify revealed a globally dispersed pattern similar to mDNS discovery. With 635 accessible Web Control Interface of Moltbot:

Magnify’s results also enabled the correlation of exposed interfaces with the Autonomous System (AS) providers hosting them. The majority of Moltbot panels were found on large cloud providers, while some have been linked to organisations and manufacturers.

Analysis of discovered panels shows that while port 18789 (the Moltbot default) remains the dominant, a surprisingly wide range of alternative ports were identified. One of these was also identified as a honeypot with 25 open ports. The presence of a dedicated honeypot suggests that Moltbot deployments are already being actively monitored by third parties, indicating early attacker interest.

Open Directory and Artifact Analysis

Hosts exposing HTTP services were further evaluated for open directory listings that have references to Moltbot. This helped to see the other side of the picture related to how people are deploying the tool.

Analysis of hosts exposing open directory listings revealed a wide range of sensitive operational artefacts associated with Moltbot and its supporting ecosystem. The exposed files included log outputs, More critically, several files revealed Signal/Telegram/Whatsapp related artifacts.

These files contain identity keys, registration secrets, or QR pairing material, elements that must never be publicly reachable. The presence of these artifacts demonstrates not just accidental exposure of a Moltbot deployment, but leakage of agent credentials, cryptographic material, development tools, runtime caches, and internal operational logs, a level of transparency that significantly increases compromise risk and enables adversaries to reconstruct or impersonate the agent’s full environment.

Conclusion

Moltbot's global exposure landscape reveals an ecosystem that is powerful, but that is often deployed without the necessary security rigor. While mDNS broadcast leakage is widespread, only a subset of deployments exposes full Control Interfaces to the open internet.

The findings in this research demonstrate that many Moltbot instances leak meaningful operational and identity data without any attacker interaction.  Additional research and articles have raised concerns about prompt injection attacks and data security. These are not edge cases or rare misconfigurations, but recurring deployment failure modes that significantly lower the barrier to compromise. >> Learn more by visiting modat.io and to access the Modat Magnify platform visit magnify.modat.io 

Visit: 

• LinkedIn

• X 

• BSky