A fake Claude AI website is spreading a trojanized ‘Claude‑Pro’ Windows installer that secretly distributes a newly-identified backdoor.
The domain mimics the official site for Anthropic’s Claude AI tool, and visitors who download the ZIP archive are sent a copy of Claude that appears to install and runs as expected.
However, researchers at Malwarebytes found it deploys a PlugX-like malware chain, dubbed Beagle, that gives attackers remote access to the system.
The ZIP contains an MSI installer that installs to a path designed to mimic a legitimate Anthropic installation, complete with a reference to Squirrel, the update framework that real Electron-based applications like Claude use.
A tell-tale giveaway for developers is that this contains a misspelling: ‘Cluade’.
While the legitimate application runs in the foreground, the VBScript quietly copies three files from the SquirrelTemp directory into the Windows Startup folder.
“This is a textbook DLL sideloading attack, a technique catalogued by MITRE as T1574.002. NOVUpdate.exe is a legitimately signed G DATA antivirus updater. When it executes, it attempts to load a library called avk.dll from its own directory,” researchers explained..
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report – the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“Normally, this would be a genuine G DATA component, but here the attacker has substituted a malicious version. Signed sideloading hosts like this can complicate detection because the parent executable may appear benign to endpoint security tools.
Victims are kept in the dark, because after deploying the payload files, the VBScript writes a small batch file called ~del.vbs.bat that waits two seconds, then deletes both the original VBScript and the batch file itself.
“This means the dropper is gone from disk by the time a user or analyst goes looking for it. The only artifacts that persist are the sideloading files in the Startup folder and the running NOVUpdate.exe process,” Malwarebytes said.
“The script also wraps the entire malicious payload section in an On Error Resume Next statement, silently swallowing any errors so that failures in the deployment do not produce visible error dialogs that might alert the victim.”
DLL sideloading is a technique favored by PlugX, a malware family that Sophos has been tracking for 14 years.
As the firm points out, PlugX has multiple variants and has been associated with several threat actor groups, meaning that attribution isn’t clear-cut.
On top of this, ShadowPad, another backdoor employing DLL sideloading, has a number of code overlaps with PlugX, to the extent that it could be considered an evolution of it.
“Most of the techniques described here are relatively well known and have been seen before, from spoofing a legitimate installer website to side loading using a signed executable. Interestingly enough what is unusual is that it also installs a working copy of Claude which is rather large,” said Max Gannon, cyber intelligence team manager at Cofense.
“The installation and usage of a program that is resource intensive can also help to disguise other ongoing background activity. The use of a legitimate program, cleanup utilities, running in memory, and persistence mechanisms all indicate that the threat actors distributing this malware intend it for long term persistence and use.”
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
