Hackers Use DLL Sideloading in Fake Claude AI Malware Campaign
Key Takeaways Cybercriminals are distributing a new backdoor, “Beagle,” by impersonating Anthropic’s Claude AI assistant through a sophisticated malvertising and DLL sideloading...
Key Takeaways
- Cybercriminals are distributing a new backdoor, “Beagle,” by impersonating Anthropic’s Claude AI assistant through a sophisticated malvertising and DLL sideloading campaign.
- The attack uses a fake website, claude-pro[.]com, to trick users into downloading a malicious Windows installer that abuses a legitimate G DATA antivirus executable.
- The campaign employs a multi-stage infection chain, including a new backdoor named Beagle and an open-source loader called DonutLoader, reminiscent of tactics previously seen in state-sponsored espionage.
- Victims risk full system compromise, including file manipulation, command execution, and persistent remote access by attackers.
A new, highly concerning malware campaign is leveraging the popularity of Anthropic’s Claude AI assistant to distribute a previously undocumented backdoor dubbed “Beagle.” This sophisticated operation employs DLL sideloading, a technique often associated with advanced persistent threat (APT) groups, to compromise unsuspecting users.
Table Of Content
The campaign, identified and detailed by researchers at Sophos X-Ops, involves a meticulously crafted lookalike website designed to mimic the official Claude AI portal. This fake site serves as the distribution point for a malicious installer that establishes a persistent backdoor on infected systems.
Deceptive Distribution and Initial Infection
Attackers have established a convincing replica of the Claude AI website, hosted at claude-pro[.]com. The site employs similar design elements, fonts, and color schemes to appear legitimate. Visitors are prompted to download “Claude-Pro Relay,” delivered as a substantial ZIP archive containing a full Windows installer. Upon execution, this installer discreetly drops three malicious files into the user’s startup folder, ensuring automatic execution with every system boot.
Sophos X-Ops initiated their investigation after reports surfaced regarding this deceptive Claude website. While initial analysis suggested a typical PlugX operation, further scrutiny revealed a distinct and previously unknown backdoor, which they named “Beagle,” along with a first-stage loader called DonutLoader.
The malware campaign appears to propagate through malvertising, where threat actors pay to embed malicious links within search engine advertisements and sponsored results. This tactic allows unsuspecting users searching for the Claude AI tool to easily land on the fraudulent site. Additionally, attackers may have utilized SEO poisoning techniques to enhance the fake site’s organic search engine visibility.
Hackers Use PlugX-Like DLL Sideloading Chain
The campaign stands out due to its sophisticated blend of established attack methodologies and a novel payload. The consistent use of a shared XOR key across various samples from early 2026 indicates a coordinated and ongoing effort, not an isolated incident. Related samples exhibiting diverse payloads and infection chains further suggest continuous development spanning several months.
The infection process begins when a user runs the Claude.msi installer. This action deposits three files: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. Crucially, NOVupdate.exe is a legitimate, digitally signed updater from G DATA antivirus. However, attackers replace the authentic avk.dll with a malicious version, tricking the trusted NOVupdate.exe into loading the rogue DLL. This technique, known as DLL sideloading, has been a signature of PlugX campaigns for over a decade.
The malicious DLL is then responsible for decrypting the payload concealed within NOVupdate.exe.dat using a hardcoded XOR key. The decrypted content is executed entirely in memory, a tactic that significantly complicates detection by conventional security solutions. This decrypted content is identified as DonutLoader shellcode, an open-source loader previously associated with advanced attacks against government entities.
The combination of a signed legitimate binary, a sideloaded malicious DLL, and an encrypted data file closely mirrors the typical structure of PlugX attacks. Despite these structural similarities, the ultimate payload in this campaign is not PlugX, but rather a distinct and newly identified threat.
Beagle Backdoor and C2 Infrastructure
Once DonutLoader executes, it delivers the final payload: the Beagle backdoor. Beagle establishes communication with a command-and-control (C2) server located at license[.]claude-pro[.]com (IP: 8.217.190.58), utilizing TCP port 443 and UDP port 8080. All traffic between Beagle and the C2 server is encrypted using a hardcoded AES key. This persistent connection grants attackers extensive control over the compromised machine, enabling them to upload and download files, execute arbitrary commands, manage directories, and maintain long-term access.
Sophos researchers also discovered related malware samples on VirusTotal dating back to February 2026. One variant of the campaign leveraged a Microsoft Defender utility as the trusted host binary, while a sample from March 2026 was observed deploying AdaptixC2, an open-source red team framework known to be associated with ransomware activities. These findings suggest that the underlying infrastructure might be supporting multiple campaigns or potentially several distinct threat actors simultaneously.
What You Should Do
- Always download software, especially AI tools, exclusively from official vendor websites. For Claude AI, use the official Anthropic site.
- Exercise extreme caution with search engine results, particularly sponsored links or advertisements, as these are frequently exploited for malvertising.
- Regularly check your system’s startup folders (e.g.,
%APPDATA%MicrosoftWindowsStart MenuProgramsStartup) for suspicious files likeNOVupdate.exe,avk.dll, andNOVupdate.exe.dat. - Implement network monitoring to detect and block outbound connections to known malicious domains such as
claude-pro[.]comandlicense[.]claude-pro[.]com. - Ensure your antivirus and endpoint detection and response (EDR) solutions are up-to-date and configured to detect DLL sideloading and in-memory execution techniques.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | claude-pro[.]com | Fake Claude AI website used for malware distribution |
| Domain | license[.]claude-pro[.]com | Command-and-control (C2) server domain |
| IP Address | 209.189.190.206 | Possible hosting server (CloudFlare origin, set up March 2026) |
| IP Address | 178.128.108.89 | Second linked hosting server |
| Domain | vertextrust-advisors[.]com | Domain linked to a secondary hosting server associated with the threat actor |
| IP Address | 8.217.190.58 | IP address associated with C2 domain license[.]claude-pro[.]com |
| File Name | Claude-Pro-windows-x64.zip | Malicious ZIP archive (~505MB) distributed via fake site |
| File Name | Claude.msi | Windows installer contained within the malicious ZIP archive |
| File Name | NOVupdate.exe | Legitimate G DATA signed executable used in DLL sideloading |
| File Name | avk.dll | Malicious DLL sideloaded to replace the legitimate G DATA DLL |
| File Name | NOVupdate.exe.dat | Encrypted data file containing the DonutLoader shellcode payload |
| Encryption Key (XOR) | SGkGHumNrDbt1OEHV3y2dVh5bQby2R | XOR decryption key used to decrypt the first-stage shellcode |
| Encryption Key (AES) | beagle_default_secret_key_12345! | Hardcoded AES key used by the Beagle backdoor for C2 communications |
| Domain | gouvvbo[.]top | C2 server used by March 2026 variant sample |
| Domain | update-treix[.]com | C2 domain used by GoddTV.msi sample |
| Domain | update-crowdstrike[.]com | Domain hosted on same IP as update-treix[.]com (192.252.186.62) |
| Domain | update-sentinelone[.]com | Domain hosted on same IP as update-treix[.]com (192.252.186.62) |
| IP Address | 192.252.186.62 | Shared IP hosting update-treix[.]com and thematically linked domains |
| File Name | MpCopyAccelerator.exe | Legitimate Microsoft Defender utility used in February 2026 variant |
| File Name | MpClient.dll | Malicious sideloaded DLL in February 2026 variant |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.