Beagle
Beagle is a previously undocumented lightweight Windows backdoor identified in 2026 in a malvertising campaign that impersonated Anthropic Claude AI via the fake domain claude-pro[.]com. Victims were lured through sponsored search results and possibly SEO poisoning to download a trojanized ZIP archive, typically Claude-Pro-windows-x64.zip, containing an MSI installer. The installer dropped NOVupdate.exe, NOVupdate.exe.dat, and avk.dll into the Windows Startup folder. NOVupdate.exe was a legitimate signed G DATA updater abused for DLL sideloading; the malicious avk.dll decrypted NOVupdate.exe.dat and executed DonutLoader shellcode, which loaded Beagle entirely in memory. Reported command support includes uninstall, cmd, upload, download, mkdir, rename, ls, and rm, enabling remote command execution, file transfer, directory management, persistence, and self-uninstallation. Beagle communicated with license[.]claude-pro[.]com over TCP 443 and/or UDP 8080, with traffic encrypted using a hardcoded AES key, beagle_default_secret_key_12345!. One report associated the C2 with IP address 8.217.190.58. Researchers noted PlugX-like tradecraft and overlaps with DLL sideloading chains historically associated with PlugX or ShadowPad, but attribution to a specific threat actor was not conclusive. Related infrastructure and lures also impersonated security vendors including Trellix, CrowdStrike, SentinelOne, and Microsoft Defender. High-confidence indicators mentioned in the content include claude-pro[.]com, license[.]claude-pro[.]com, NOVupdate.exe, avk.dll, NOVupdate.exe.dat, and the ZIP lure Claude-Pro-windows-x64.zip.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
3 techniques
Resource Development
The campaign appears to be spreading through malvertising, where attackers pay to place malicious links in search engine ads and sponsored results.
Cybercriminals have launched a sophisticated malvertising campaign using a fake Claude‑AI website... The deceptive site, reachable through sponsored search results, mimics Anthropic’s legitimate Claude interface and lures users into downloading what appears to be a productivity‑oriented “Claude‑Pro Relay” tool but is in fact a poisoned installer.
Execution
4 techniques
Execution
Through this connection, an attacker can upload and download files, run commands, manage directories, and maintain persistent access on the compromised machine.
It supports a small set of commands such as running arbitrary shell commands...
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
7 techniques
Stealth
Sophos found other samples from February and April. Further investigation revealed that hackers reused the same XOR key across different Donut samples throughout the year.
The malicious domain claude‑pro[.]com presents a stripped‑down clone of the official Claude design, using similar colors and fonts to create a veneer of legitimacy.
It supports a small set of commands such as ... uninstalling itself to destroy evidence.
Victims are kept in the dark, because after deploying the payload files, the VBScript writes a small batch file called ~del.vbs.bat that waits two seconds, then deletes both the original VBScript and the batch file itself.
The malicious DLL decrypts the payload hidden inside NOVupdate.exe.dat using a hardcoded XOR key and runs the result entirely in memory.
Discovery
2 techniques
Discovery
Command and Control
4 techniques
Command and Control
The malware communicates with its command‑and‑control server at license[.]claude‑pro[.]com over TCP port 443 or UDP port 8080, encrypting traffic with a hardcoded AES key to make network monitoring more difficult.
The backdoor communicates with the command-and-control (C2) server... over TCP (443) and/or UDP (8080).
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named Windows malware family mentioned as being delivered via a fake Claude AI website.
A Windows backdoor delivered via a trojanized installer from a fake Claude-AI website. It is loaded in memory via DLL sideloading and DonutLoader, and supports remote command execution, file upload/download, directory operations, listing folder contents, and self-uninstallation. It communicates with C2 over TCP 443 or UDP 8080 using a hardcoded AES key.
A newly identified backdoor delivered after DonutLoader execution. It connects to a command-and-control server over TCP 443 and UDP 8080 using a hardcoded AES key, allowing attackers to upload and download files, run commands, manage directories, and maintain persistent access on compromised systems.
Related Articles: Fake Claude AI website delivers new 'Beagle' Windows malware
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.