A fake version of the Claude AI website offers a malicious Claude-Pro Relay download that delivers a previously undocumented Windows backdoor named Beagle.
The threat actor advertises Claude-Pro as a “high-performance relay service designed specifically for Claude-Code” developers.
Meanwhile, the fake website attempts to mimic the legitimate platform for the popular Claude large language model (LLM) and AI assistant by using similar colors and fonts.
However, the deception quickly becomes obvious because every link simply redirects users back to the front page, researchers at cybersecurity company Sophos explained in a report published.
Fake Claude AI website
Source: Sophos
Users who land on “claude-pro[.]com” and fail to recognize the scam can only click a large download button for the malicious payload. The site distributes a 505MB archive named ‘Claude-Pro-windows-x64.zip’, which contains an MSI installer allegedly tied to the Claude-Pro Relay product.
Sophos and Malwarebytes Trace the Malware Chain
Sophos says that running the binary adds three files to the Startup folder: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll.
Earlier, Malwarebytes discovered the campaign and reported that the fake ‘Pro’ installer contains a trojanized copy of Claude. Although the application works as expected, it secretly deploys a PlugX malware chain in the background and gives attackers remote access to the infected system.
After taking a closer look at the operation, Sophos discovered that the first-stage payload used DonutLoader to fetch “a relatively simple backdoor” that researchers named Beagle.
The malware supports the following commands:
- uninstall: uninstalls agent
- cmd: executes command
- upload: uploads file
- download: downloads file
- mkdir: creates directory
- rename: renames file
- ls: lists directory content
- rm: removes directory
It is worth clarifying that the Beagle backdoor differs from the Delphi-based Beagle/Bagle worm documented in 2004.
Attackers Abuse Signed G Data Components
According to the researchers, NOVupdate.exe acts as a signed updater for G Data security solutions. The threat actor uses the executable to sideload the malicious avk.dll file alongside the encrypted NOVupdate.exe.dat payload.
Additionally, Sophos notes that attackers previously linked this sideloading technique involving the AVK DLL and encrypted files with PlugX activity.
The DLL decrypts and executes the payload stored inside NOVupdate.exe.dat, which contains the open-source in-memory injector DonutLoader. Sophos previously spotted Donut in attacks during 2024 that targeted government organizations across Southeast Asia.
In this campaign, DonutLoader deploys the final payload — the Beagle backdoor — directly into system memory to evade security detection.
Beagle Communicates Through Encrypted C2 Infrastructure
The backdoor communicates with the command-and-control (C2) server at ‘license[.]claude-pro[.]com’ by using TCP over port 443 and/or UDP over port 8080. Additionally, a hardcoded AES key protects the communications.
Sophos also noted that the C2 infrastructure operates from the IP address 8.217.190[.]58. Meanwhile, Malwarebytes researchers linked the address range to the Alibaba Cloud service.
Further investigation led Sophos to additional malware samples tied to Beagle that attackers submitted to VirusTotal between February and April this year. Researchers also discovered that all samples used the same XOR decryption key.
However, the additional samples infected systems through different attack chains. Those methods included Microsoft Defender binaries, AdaptixC2 shellcode, decoy PDF files, and fake update websites impersonating security vendors such as CrowdStrike, SentinelOne, and Trellix.
Although Sophos could not confidently attribute the campaign to a specific threat actor, researchers suggested that the operators behind PlugX may currently experiment with a new malware payload.
To reduce the risk of compromise, users should only download Claude software from the official website and avoid sponsored search results whenever possible. Additionally, the presence of ‘NOVupdate’ files on a machine strongly indicates a system compromise.
Source: BleepingComputer, Bill Toulas
Read more at Impreza News
