Fake Claude AI Installer Delivers PlugX RAT via DLL Sideloading
A fake website impersonating Anthropic’s Claude AI service has been used to distribute the PlugX remote access trojan, luring victims with a trojanized ZIP archive advertised as a “pro” installer. The package launches a working Claude-themed application to avoid suspicion while a hidden VBScript begins the infection chain, abusing interest in AI tools as social-engineering cover for malware delivery.
The script copies a legitimate signed G DATA executable and a malicious avk.dll into the Windows Startup folder, where DLL sideloading allows the trusted binary to load the rogue library. The DLL then decrypts and executes a payload stored in an encrypted .dat file, establishes persistence, modifies a TCP/IP-related Windows registry key, and connects over HTTPS to 8.217.190[.]58 hosted on Alibaba Cloud; researchers also said the campaign uses self-deleting scripts to reduce forensic visibility. While PlugX has long been linked to espionage activity, researchers cautioned that the malware is now broadly reused and the campaign cannot be attributed on tooling alone.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Sophos identifies Beagle backdoor behind fake Claude installer campaign
Sophos X-Ops reported that the fake Claude site campaign used Donut shellcode to load a previously undocumented backdoor they named Beagle, rather than only PlugX-like malware. The backdoor communicated with license[.]claude-pro[.]com over TCP 443 and/or UDP 8080 using AES-encrypted JSON messaging and supported command execution, file transfer, directory management, and self-uninstall.
Technical details reveal persistence and C2 behavior in the PlugX campaign
Analysis showed the malware established persistence by copying components into the Windows Startup folder, used self-deleting scripts to reduce forensic visibility, modified a TCP/IP-related registry key, and communicated over HTTPS with 8.217.190.58 hosted on Alibaba Cloud. Reporting noted that while PlugX has historic links to Chinese espionage, attribution could not be made from the tooling alone because the malware is now widely reused.
Researchers identify fake Claude site delivering PlugX via DLL sideloading
Malwarebytes reported a campaign using a fake website impersonating Anthropic's Claude AI service to distribute the PlugX remote access trojan in a trojanized ZIP installer marketed as a "pro version." The infection chain used a VBScript, a legitimate signed G DATA executable, a malicious avk.dll, and an encrypted payload file to install malware while presenting a working Claude application to the victim.
Sophos links fake Claude campaign to earlier February and March malware samples
Sophos found related samples on VirusTotal dating back to February 2026, showing the fake Claude malware activity was underway before public reporting in April. A March 2026 sample used a Microsoft Defender utility and deployed AdaptixC2 instead of Beagle, suggesting ongoing development and potentially shared infrastructure across related campaigns.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Hackers Use PlugX-Like DLL Sideloading Chain in Fake Claude Malware Campaign
cybersecuritynews.com
Open sourceClaude users beware, hackers are using a fake website to dupe developers and deliver malware | IT Pro
itpro.com
Open sourceDonuts and Beagles: Fake Claude site spreads backdoor | SOPHOS
sophos.com
Open sourceFake Claude website distributes PlugX RAT via DLL sideloading | brief | SC Media
scworld.com
Open sourceFake Claude AI installer abuses DLL sideloading to deploy PlugX
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fake Claude AI Site Delivers Beagle Backdoor via Malvertising
A malvertising and SEO-poisoning campaign is impersonating Anthropic’s Claude AI with the domain `claude-pro[.]com`, luring users to download a trojanized Windows installer that deploys a newly identified backdoor called **Beagle**. Researchers said the fake site appeared in sponsored search results and mimicked Claude branding to distribute a ZIP archive containing an MSI package that installed a legitimate signed G DATA executable alongside a malicious DLL, abusing **DLL sideloading** to begin the infection chain. After execution, the malware decrypts additional payloads, launches DonutLoader, and loads Beagle entirely in memory to reduce disk-based detection. The backdoor provides remote access functions including command execution, file transfer, directory management, and self-uninstallation, and communicates with `license[.]claude-pro[.]com` over TCP 443 or UDP 8080 using a hardcoded AES key. Sophos X-Ops said the campaign has been active for months, uses anti-analysis measures and shared tooling such as a reused XOR key, and relies on infrastructure including Cloudflare and Alibaba Cloud; researchers also noted overlaps with activity linked to **PlugX** operators and related impersonation of vendors including Trellix, CrowdStrike, SentinelOne, and Microsoft Defender.
May 24, 2026
Malvertising and Supply-Chain Lures Impersonate AI Developer Tools to Deliver Infostealers and RATs
Threat actors are abusing interest in AI developer tools by impersonating installers and setup guides to trick users into executing malware. Fake installation-guide pages for Anthropic’s **Claude Code** were promoted via **Google Ads** to rank highly for searches like “Claude Code install/CLI,” leading Windows and macOS users to run copy-pasted commands in an **InstallFix** campaign (a variant of **ClickFix**) that ultimately deployed **Amatera** (an **ACR Stealer**-based MaaS infostealer). Push Security reported the malware steals browser-stored credentials, cookies, session tokens, and system information, and the infrastructure used legitimate hosting/CDN services (e.g., *Squarespace*, *Cloudflare Pages*, *Tencent EdgeOne*) to reduce suspicion. In a related AI-tool impersonation theme, JFrog identified a malicious **npm** package, `@openclaw-ai/openclawai`, posing as an **OpenClaw** installer that targets macOS users to steal credentials and establish persistent remote access. The package uses a `postinstall` hook to reinstall itself globally and registers a CLI via the `bin` field pointing to `scripts/setup.js`, which presents a fake installer UI and then prompts for the user’s system password via a bogus Keychain/iCloud authorization flow. The malware (self-identified as **GhostLoader**) was reported to collect browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also deploying a **RAT** with **SOCKS5 proxy** capability and “live browser session cloning,” indicating a blend of credential theft and long-term access objectives.
Apr 1, 2026
Fake AI Agent Downloads Spread Mac Infostealers via Google Ads and Claude Chats
Attackers are targeting macOS users with fake AI tool downloads promoted through **Google Ads** and public **Claude.ai** shared chats. Victims searching for terms such as “Claude mac download” are shown sponsored results that appear to reference the legitimate `claude.ai` domain, but the links redirect to shared chats containing bogus installation instructions. The lures present themselves as official guidance for running Claude-related tools on Mac, sometimes even masquerading as Apple Support content, and tell users to paste commands into Terminal that instead fetch and execute malware. Researchers said the campaign is active and uses rotating malicious chat pages and infrastructure to evade disruption. Observed payloads include Mac-focused infostealers with behavior consistent with **AMOS** and **Amatera/MacSync-style** theft, including collection of browser credentials, cookies, and **Keychain** data. The activity reflects a broader trend of threat actors disguising malware as AI agents and developer tools to exploit demand for generative AI software on macOS systems.
Jun 4, 2026