Sophos — Fake Claude AI Website Delivers Beagle Windows Backdoor

AI relevance: Attackers are impersonating Claude — one of the most widely used AI coding assistants — to deliver a new Windows backdoor, exploiting the trust developers place in popular AI tool brands.

What happened

• A fake Claude AI website at claude-pro[.]com offers a "Claude-Pro Relay" download marketed as a high-performance relay for Claude Code developers, reported by Sophos and Malwarebytes on May 7, 2026.
• The site mimics Claude's visual design but all secondary links redirect to the front page — only the download button is functional, serving a 505 MB archive named Claude-Pro-windows-x64.zip.
• The ZIP contains an MSI installer that deploys a working (trojanized) Claude copy alongside three startup files: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll.
• NOVupdate.exe is a legitimately signed G Data antivirus updater abused for DLL sideloading — a technique catalogued by MITRE as T1574.002. The malicious avk.dll decrypts and executes the payload from NOVupdate.exe.dat in memory.
• Sophos identified the first-stage loader as DonutLoader, an open-source in-memory injector, which deploys a previously undocumented Windows backdoor the researchers call Beagle (distinct from the 2004 Beagle/Bagle worm).
• The Beagle backdoor supports a limited command set: cmd execution, file upload/download, mkdir, rename, ls, rm, and uninstall — communicating with C2 at license[.]claude-pro[.]com over TCP/443 or UDP/8080 with a hardcoded AES key.
• The C2 server resolves to IP 8.217.190[.]58, within an Alibaba Cloud address range.
• Sophos found additional Beagle samples submitted to VirusTotal between February and April 2026 using the same XOR decryption key, delivered via different attack chains including Microsoft Defender binaries, AdaptixC2 shellcode, a decoy PDF, and impersonated update sites for CrowdStrike, SentinelOne, and Trellix.
• The same DLL-sideloading triad (signed binary + malicious DLL + encrypted data file) has been linked to PlugX activity targeting government organizations in Southeast Asia.
• The fake domain's MX records rotated between two bulk-email platforms (Kingmailer and CampaignLark), indicating active campaign maintenance.
• Malwarebytes initially flagged the campaign noting the trojanized installer deploys a PlugX malware chain in the background while the legitimate Claude app runs in the foreground.

Why it matters

Claude receives nearly 290 million web visits per month, making it a high-value impersonation target. This campaign demonstrates that attackers are actively exploiting the growing developer reliance on AI coding tools — users searching for Claude-related downloads are at risk of installing malware that grants persistent remote access. The Beagle backdoor, while limited in command set, establishes a foothold that could be upgraded to more capable payloads, as Sophos linked the same operators to the long-running PlugX espionage toolkit.

What to do

• Download Claude only from the official Anthropic portal (claude.ai); avoid sponsored search results.
• Check systems for NOVupdate.exe, avk.dll, or NOVupdate.exe.dat in the Windows Startup folder — their presence is a strong indicator of compromise.
• If infected, run a full system scan with updated security software and review network connections to 8.217.190[.]58 or license[.]claude-pro[.]com.
• Organizations should warn developers about AI tool impersonation and consider DNS-level blocking of the malicious domain and C2 IP.

Sources

• BleepingComputer — Fake Claude AI website delivers new 'Beagle' Windows malware
• Malwarebytes — Fake Claude site installs malware that gives attackers access to your computer
• Sophos — Research report (May 2026)