The fraudulent site copied the visual cues of the real Claude service, including similar colours and fonts, but its construction showed signs of deception. Most links redirected users back to the front page, while the prominent download button offered a large archive named Claude-Pro-windows-x64. zip. The file, roughly 505MB, contained an MSI installer labelled as Claude. msi and presented itself as a legitimate Windows package.
Once executed, the installer placed three components in the Windows Startup folder: NOVupdate. exe, NOVupdate. exe. dat and avk. dll. NOVupdate. exe appeared to be a signed updater associated with G DATA antivirus products, allowing the malware chain to abuse trust in a legitimate executable. The malicious avk. dll was loaded from the same directory, a classic DLL sideloading method used to make harmful activity appear less suspicious to security tools.
The infection chain then decrypted an encrypted payload stored in NOVupdate. exe. dat and executed shellcode linked to DonutLoader, an open-source in-memory loader. DonutLoader fetched Beagle, the final backdoor payload. Beagle supports commands to uninstall itself, execute shell commands, upload and download files, create folders, rename files, list directory contents and remove directories, giving the operator broad access to the victim’s system.
Beagle communicated with its command-and-control infrastructure through license[.]claude-pro[.]com over TCP port 443 or UDP port 8080. Its traffic used AES encryption with a hardcoded key and a randomly generated 16-byte initialisation vector for packets, while infected machines sent heartbeat-style data containing an agent identifier, hostname and user information. That combination indicates a tool built for continued remote access rather than a one-off credential theft operation.
The campaign’s wider infrastructure suggests preparation beyond a single cloned website. One hosting server associated with the fake Claude domain was set up in March 2026, while another linked server was connected to a separate domain posing as a professional advisory firm registered in mid-April. Researchers could not confirm whether that second site had distributed files, but its presence pointed to either staging activity or a broader infrastructure build-out.
The attribution picture remains cautious. The use of a signed G DATA executable, a malicious DLL and an encrypted data file resembles PlugX-style campaigns, and DLL sideloading has long been associated with PlugX and other espionage-linked malware families. Yet the final payload in this case was not PlugX but Beagle, leaving open whether the operators retooled an existing infection chain or copied methods used by another group. Code overlap between PlugX and ShadowPad further complicates firm attribution.
The attack also reflects a wider shift in social engineering, where threat actors exploit public demand for AI tools by promoting cloned websites through sponsored search results, search poisoning or malicious advertising. Earlier fake Claude Code installation pages had already targeted Windows and macOS users with infostealers, showing that developer workflows involving quick downloads and command-line installation steps have become attractive routes for compromise.
Also published on Medium.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
