A fake website impersonating Anthropic’s Claude AI chatbot has been discovered distributing the PlugX remote access trojan, according to Malwarebytes research. The malicious site leverages the popularity of AI tools to lure users into downloading a ZIP archive disguised as a “pro version” installer. This sophisticated attack uses DLL sideloading to execute the malware and then attempts to erase its tracks, Security Affairs reports.The fake Claude website offers a ZIP file containing an MSI installer that mimics a legitimate Anthropic Claude setup. Upon installation, a VBScript is executed, which silently copies malicious files, including a legitimate G DATA antivirus updater (NOVUpdate.exe) and a malicious DLL (avk.dll), into the Windows Startup folder. The legitimate updater is then used to load the malicious DLL through a technique known as DLL sideloading. This DLL decrypts and executes a payload from an encrypted .dat file, establishing a connection to a command-and-control server. The attack chain is typical of the PlugX malware family, often employed in cyber espionage campaigns.Source:Security Affairs
Get essential knowledge and practical strategies to use AI to better your security program.
