Cybercriminals have devised a new tactic to entice victims into downloading harmful software, using a counterfeit version of Anthropic’s Claude AI assistant to execute their campaign. This operation raises alarms due to its sophisticated use of a PlugX-like DLL sideloading chain.
The Fake Claude Website
Attackers created a deceptive website, claude-pro[.]com, that closely resembles the authentic Claude AI site, employing similar fonts and color schemes. Visitors are lured into downloading a file labeled ‘Claude-Pro Relay,’ which is actually a large ZIP archive containing a Windows installer. Once executed, this installer surreptitiously places three malicious files in the system’s startup folder, ensuring their automatic execution upon system boot.
Sophos X-Ops researchers discovered the campaign while investigating the site’s role in malware distribution. Initially appearing as a typical PlugX operation, further analysis revealed an undocumented backdoor named ‘Beagle’ and a loader called DonutLoader, marking it as a novel threat.
Malvertising and SEO Poisoning
The campaign gains traction through malvertising, with attackers purchasing ad space to display harmful links in search results. Users searching for the Claude AI tool might inadvertently access the fake site. Additionally, SEO poisoning likely enhances the site’s visibility, drawing even more unsuspecting visitors.
Notably, the campaign mixes established attack strategies with a newly crafted payload. The reuse of an XOR key across different samples from early 2026 indicates an ongoing, coordinated effort rather than a singular incident. This evolving threat has been developing over several months, suggesting a sustained campaign.
Technical Exploits and the Beagle Backdoor
The malware installation begins when users run the Claude.msi installer, which deposits three files: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. A legitimate G DATA antivirus updater, NOVupdate.exe, is manipulated to load a malicious avk.dll through DLL sideloading, a hallmark of PlugX campaigns.
This rogue DLL decrypts a payload hidden within NOVupdate.exe.dat using a hardcoded XOR key, executing it entirely in memory. This method evades traditional security detections. The decrypted payload is DonutLoader shellcode, linked to advanced attacks on governmental systems.
Upon execution, DonutLoader delivers the Beagle backdoor, which connects to a command-and-control server at license[.]claude-pro[.]com. Utilizing a hardcoded AES key, it encrypts all traffic, allowing attackers to manage files, execute commands, and maintain system access through TCP and UDP ports.
Protection Measures and Outlook
To mitigate risk, users are advised to download Claude AI exclusively from the official Anthropic website and avoid sponsored search links. Checking the startup folder for suspicious files like NOVupdate.exe and monitoring connections to claude-pro[.]com can help identify infections.
Sophos researchers also identified related samples dating back to February 2026, suggesting the infrastructure might support various campaigns or actors. Vigilance in cybersecurity practices remains crucial as this threat continues to evolve.
