Overview
A threat actor has registered and operated a fraudulent website mimicking Anthropic’s Claude AI platform, using it to distribute a previously undocumented Windows backdoor dubbed Beagle, alongside an established PlugX remote access trojan (RAT) chain. Reported by Sophos and initially flagged by Malwarebytes, the campaign is notable for its deliberate targeting of the AI developer community — specifically those working with Claude-Code — by advertising a fake “high-performance relay service.”
The fake domain claude-pro[.]com closely mimics the visual design of the legitimate Anthropic site but exposes its fraudulent nature through non-functional links that redirect only to the front page. Users who fail to notice are presented with a single download button for a 505MB archive, Claude-Pro-windows-x64.zip, containing a malicious MSI installer.
Technical Analysis
Once executed, the MSI installer drops three files into the Windows Startup folder:
NOVupdate.exe— a legitimately signed updater binary from G Data security solutionsavk.dll— a malicious DLL sideloaded by the signed binaryNOVupdate.exe.dat— an encrypted payload container
The attack chain leverages DLL sideloading: the signed G Data executable loads the malicious avk.dll, which in turn decrypts and executes the contents of NOVupdate.exe.dat entirely in memory. The first-stage payload is DonutLoader, a shellcode loader that fetches the Beagle backdoor.
Beagle is a relatively lightweight backdoor supporting the following commands:
uninstall - Remove the agent
cmd - Execute shell commands
upload - Exfiltrate files
download - Deliver files to host
mkdir - Create directories
rename - Rename files
ls - List directory contents
rm - Remove directories
Sophos notes that the use of a G Data signed binary to sideload avk.dll with an encrypted companion file is consistent with previously documented PlugX delivery tradecraft, suggesting a threat actor with established operational tooling. The trojanized Claude installer also functions as expected, reducing user suspicion.
Framework Mapping
MITRE ATLAS:
- AML.T0047 – ML-Enabled Product or Service: Attackers impersonate a legitimate LLM product to socially engineer downloads.
- AML.T0010 – ML Supply Chain Compromise: The attack inserts malicious components into what appears to be a legitimate AI developer toolchain.
OWASP LLM Top 10:
- LLM05 – Supply Chain Vulnerabilities: Fake tooling distributed under the guise of an AI relay service poisons the developer software supply chain.
- LLM09 – Overreliance: Users trusting the apparent legitimacy of an AI brand interface are exploited through that trust.
Impact Assessment
The primary targets are Windows-based developers and technical users evaluating or actively using Claude-Code. Successful infection provides attackers with persistent, full remote access via PlugX and command execution capability via Beagle. The in-memory execution of the final payload significantly complicates forensic detection. The use of a signed legitimate binary for sideloading further reduces the likelihood of AV detection at the point of execution.
Mitigation & Recommendations
- Validate domains: Only download AI tools from verified official sources. Anthropic’s official domain is
anthropic.com. - Block the IOC: Add
claude-pro[.]comto DNS blocklists and firewall deny lists immediately. - Hunt for persistence: Search endpoints for
NOVupdate.exe,avk.dll, andNOVupdate.exe.datin Startup directories. - Monitor sideloading: Alert on signed vendor binaries loading unexpected DLLs from non-standard paths.
- Educate developers: AI tooling is an increasingly exploited lure — developer security awareness programmes should include supply chain hygiene for AI utilities.