Hackers Use PlugX-Like DLL Sideloading Chain in Fake Claude Malware Campaign

Cybercriminals are getting creative with how they lure victims into downloading malware, and a new campaign involving a fake version of Anthropic’s Claude AI assistant is raising serious concerns.

Attackers set up a convincing lookalike website to distribute a dangerous installer that quietly plants a backdoor on infected systems. The campaign uses a chain of techniques that, until recently, had mostly been seen in state-linked espionage operations.

The fake site, hosted at claude-pro[.]com, closely mirrors the look and feel of the real Claude website, using similar fonts and color schemes. Visitors are offered a download called “Claude-Pro Relay,” packaged as a large ZIP archive containing a full Windows installer.

Once run, that installer silently drops three malicious files into the user’s startup folder, ensuring they all execute automatically every time the system boots up.

Researchers from Sophos X-Ops identified the campaign after investigating reports of the fake Claude website actively distributing malware. While the attack chain initially looked like a classic PlugX operation, a closer look revealed something unexpected beneath the surface. The team uncovered a previously undocumented backdoor they have named “Beagle,” alongside a first-stage loader known as DonutLoader.

The campaign appears to be spreading through malvertising, where attackers pay to place malicious links in search engine ads and sponsored results. Unsuspecting users searching for the Claude AI tool could easily land on the fake site without realizing anything is wrong. Threat actors may have also used SEO poisoning to further boost the site’s visibility in organic search results.

Hackers Use PlugX-Like DLL Sideloading Chain

What makes this campaign especially notable is how it blends older, well-documented attack methods with a freshly crafted payload. The reuse of a shared XOR key across multiple samples from earlier in 2026 suggests this is not a one-off effort. Related samples show different payloads and infection chains, pointing to ongoing development spread over several months.

The infection begins once the user runs the Claude.msi installer, which drops three files: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. NOVupdate.exe is a legitimate, signed updater from G DATA antivirus, but the attackers swap out the real avk.dll with a malicious version, tricking the trusted executable into loading it. This technique, known as DLL sideloading, is a hallmark of PlugX campaigns dating back over a decade.

The malicious DLL decrypts the payload hidden inside NOVupdate.exe.dat using a hardcoded XOR key and runs the result entirely in memory. This in-memory approach makes detection much harder for traditional security tools. The decrypted content turns out to be DonutLoader shellcode, an open-source loader previously linked to sophisticated attacks on government organizations.

This combination of a signed legitimate binary, a sideloaded malicious DLL, and an encrypted data file closely mirrors known PlugX attack setups. However, despite the nearly identical structure, the final payload here is not PlugX. It opens the door to a different and newly identified threat entirely.

Beagle Backdoor and C2 Infrastructure

Once DonutLoader executes, it delivers the final payload: the Beagle backdoor. Beagle connects to a command-and-control server at license[.]claude-pro[.]com (IP: 8.217.190.58) over TCP port 443 and UDP port 8080, using a hardcoded AES key to encrypt all traffic. Through this connection, an attacker can upload and download files, run commands, manage directories, and maintain persistent access on the compromised machine.

Sophos researchers also found related samples on VirusTotal dating back to February 2026. One variant used a Microsoft Defender utility as the trusted host binary, while a March 2026 sample led to the deployment of AdaptixC2, an open-source red team framework tied to ransomware activity. These findings suggest the underlying infrastructure may be serving multiple campaigns or threat actors simultaneously.

To stay protected, users should only download Claude from the official Anthropic website and avoid clicking on sponsored search result links. Checking startup folders for the files NOVupdate.exe, avk.dll, and NOVupdate.exe.dat is a practical first step for anyone who may have visited the fake site. Monitoring outbound connections to claude-pro[.]com and license[.]claude-pro[.]com is also strongly advised.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Domain	claude-pro[.]com	Fake Claude AI website used for malware distribution
Domain	license[.]claude-pro[.]com	Command-and-control (C2) server domain
IP Address	209.189.190.206	Possible hosting server (CloudFlare origin, set up March 2026)
IP Address	178.128.108.89	Second linked hosting server
Domain	vertextrust-advisors[.]com	Domain linked to a secondary hosting server associated with the threat actor
IP Address	8.217.190.58	IP address associated with C2 domain license[.]claude-pro[.]com
File Name	Claude-Pro-windows-x64.zip	Malicious ZIP archive (~505MB) distributed via fake site
File Name	Claude.msi	Windows installer contained within the malicious ZIP archive
File Name	NOVupdate.exe	Legitimate G DATA signed executable used in DLL sideloading
File Name	avk.dll	Malicious DLL sideloaded to replace the legitimate G DATA DLL
File Name	NOVupdate.exe.dat	Encrypted data file containing the DonutLoader shellcode payload
Encryption Key (XOR)	SGkGHumNrDbt1OEHV3y2dVh5bQby2R	XOR decryption key used to decrypt the first-stage shellcode
Encryption Key (AES)	beagle_default_secret_key_12345!	Hardcoded AES key used by the Beagle backdoor for C2 communications
Domain	gouvvbo[.]top	C2 server used by March 2026 variant sample
Domain	update-treix[.]com	C2 domain used by GoddTV.msi sample
Domain	update-crowdstrike[.]com	Domain hosted on same IP as update-treix[.]com (192.252.186.62)
Domain	update-sentinelone[.]com	Domain hosted on same IP as update-treix[.]com (192.252.186.62)
IP Address	192.252.186.62	Shared IP hosting update-treix[.]com and thematically linked domains
File Name	MpCopyAccelerator.exe	Legitimate Microsoft Defender utility used in February 2026 variant
File Name	MpClient.dll	Malicious sideloaded DLL in February 2026 variant

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.