Fake Claude AI Site Delivers Beagle Backdoor via Malvertising
A malvertising and SEO-poisoning campaign is impersonating Anthropic’s Claude AI with the domain claude-pro[.]com, luring users to download a trojanized Windows installer that deploys a newly identified backdoor called Beagle. Researchers said the fake site appeared in sponsored search results and mimicked Claude branding to distribute a ZIP archive containing an MSI package that installed a legitimate signed G DATA executable alongside a malicious DLL, abusing DLL sideloading to begin the infection chain.
After execution, the malware decrypts additional payloads, launches DonutLoader, and loads Beagle entirely in memory to reduce disk-based detection. The backdoor provides remote access functions including command execution, file transfer, directory management, and self-uninstallation, and communicates with license[.]claude-pro[.]com over TCP 443 or UDP 8080 using a hardcoded AES key. Sophos X-Ops said the campaign has been active for months, uses anti-analysis measures and shared tooling such as a reused XOR key, and relies on infrastructure including Cloudflare and Alibaba Cloud; researchers also noted overlaps with activity linked to PlugX operators and related impersonation of vendors including Trellix, CrowdStrike, SentinelOne, and Microsoft Defender.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers report Beagle campaign and note possible PlugX-linked overlaps
Sophos X-Ops publicly identified the fake Claude AI malware campaign and documented technical details including anti-analysis measures, reused tooling such as a common XOR key, and infrastructure choices involving Cloudflare and Alibaba Cloud. Researchers said attribution was not conclusive but noted overlaps suggesting possible links to actors associated with PlugX.
Trojanized Claude installer deploys newly identified Beagle backdoor
Victims who downloaded the fake Claude-Pro package received a ZIP archive containing an MSI that installed a legitimate signed G DATA executable and abused DLL sideloading to decrypt and load the previously unknown Beagle backdoor in memory. Beagle provided remote access features including command execution, file transfer, directory management, and self-uninstallation, and communicated with license.claude-pro.com.
Malvertising campaign begins using fake Claude AI site
A campaign active for months in 2026 used malvertising and SEO poisoning to direct users to the fake domain claude-pro.com, which impersonated Anthropic's Claude AI service. The operation also reportedly used related impersonation themes involving security vendors to lure victims.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Fake Claude AI Site Spreads New Beagle Windows Backdoor - Here’s How to Stay Safe - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceHackers Use Fake Claude AI Site to Infect Users With New Beagle Malware
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fake Claude AI Installer Delivers PlugX RAT via DLL Sideloading
A fake website impersonating Anthropic’s Claude AI service has been used to distribute the **PlugX remote access trojan**, luring victims with a trojanized ZIP archive advertised as a “pro” installer. The package launches a working Claude-themed application to avoid suspicion while a hidden VBScript begins the infection chain, abusing interest in AI tools as social-engineering cover for malware delivery. The script copies a legitimate signed **G DATA** executable and a malicious `avk.dll` into the Windows Startup folder, where DLL sideloading allows the trusted binary to load the rogue library. The DLL then decrypts and executes a payload stored in an encrypted `.dat` file, establishes persistence, modifies a TCP/IP-related Windows registry key, and connects over HTTPS to `8.217.190[.]58` hosted on Alibaba Cloud; researchers also said the campaign uses self-deleting scripts to reduce forensic visibility. While PlugX has long been linked to espionage activity, researchers cautioned that the malware is now broadly reused and the campaign cannot be attributed on tooling alone.
May 11, 2026
Malvertising and Supply-Chain Lures Impersonate AI Developer Tools to Deliver Infostealers and RATs
Threat actors are abusing interest in AI developer tools by impersonating installers and setup guides to trick users into executing malware. Fake installation-guide pages for Anthropic’s **Claude Code** were promoted via **Google Ads** to rank highly for searches like “Claude Code install/CLI,” leading Windows and macOS users to run copy-pasted commands in an **InstallFix** campaign (a variant of **ClickFix**) that ultimately deployed **Amatera** (an **ACR Stealer**-based MaaS infostealer). Push Security reported the malware steals browser-stored credentials, cookies, session tokens, and system information, and the infrastructure used legitimate hosting/CDN services (e.g., *Squarespace*, *Cloudflare Pages*, *Tencent EdgeOne*) to reduce suspicion. In a related AI-tool impersonation theme, JFrog identified a malicious **npm** package, `@openclaw-ai/openclawai`, posing as an **OpenClaw** installer that targets macOS users to steal credentials and establish persistent remote access. The package uses a `postinstall` hook to reinstall itself globally and registers a CLI via the `bin` field pointing to `scripts/setup.js`, which presents a fake installer UI and then prompts for the user’s system password via a bogus Keychain/iCloud authorization flow. The malware (self-identified as **GhostLoader**) was reported to collect browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also deploying a **RAT** with **SOCKS5 proxy** capability and “live browser session cloning,” indicating a blend of credential theft and long-term access objectives.
Apr 1, 2026
Malicious and unsafe use of Anthropic Claude Code leading to malware delivery and destructive infrastructure changes
Push Security reported an **“InstallFix” malvertising campaign** targeting developers searching for Anthropic’s *Claude Code* CLI. Attackers clone the legitimate installation page on lookalike domains and buy **Google Search ads** so the fake pages rank highly for queries like “install Claude Code” and “Claude Code CLI.” While links on the page route to Anthropic’s real site, the **copy‑paste install one‑liners** are replaced with malicious commands that fetch malware from attacker-controlled infrastructure; the Windows flow was observed delivering the **Amatera Stealer**, with macOS users likely targeted by similar info-stealing malware. Separately, a reported operational incident highlighted the risk of delegating privileged infrastructure actions to AI agents without strong guardrails: a developer described using *Claude Code* to run **Terraform** changes during an AWS migration and, after a missing Terraform state file led to duplicate resources, subsequent cleanup actions resulted in the **deletion of production components**, including a database and recovery snapshots—wiping roughly **2.5 years of records**. Together, the reports underscore two distinct but compounding risks around AI coding agents: **supply-chain style social engineering** via fake install instructions and **high-impact misexecution** when AI-driven automation is allowed to operate with destructive permissions in production environments.
May 12, 2026