Fake Claude AI site infects Windows with new Beagle malware

A fraudulent website posing as the official Claude AI platform is actively distributing a malicious download labeled “Claude-Pro Relay,” which installs a previously undocumented Windows backdoor known as Beagle. The deceptive site promotes Claude-Pro as a “high-performance relay service designed specifically for Claude-Code” developers, but in reality, it serves as a vector for infection.

The fake site, hosted at “claude-pro[.]com,” is a crude imitation of the legitimate Claude AI site, borrowing similar colors and fonts. However, its links are broken, redirecting users only to the homepage. Cybersecurity researchers at Sophos detailed the scam in a report today, noting that visitors who fall for the ruse encounter a single large download button. Clicking it retrieves a 505MB archive named ‘Claude-Pro-windows-x64.zip,’ which contains an MSI installer for the supposed Claude-Pro Relay product.

According to Sophos, executing the installer adds three files to the Windows Startup folder: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. The campaign was first identified by Malwarebytes, whose researchers found that the ‘Pro’ installer is a trojanized copy of Claude that functions normally but secretly deploys a PlugX malware chain in the background. This grants attackers remote access to the compromised system.

Sophos dug deeper and discovered that the initial payload was DonutLoader, which then fetched a “relatively simple backdoor” they named Beagle. This backdoor supports a limited set of commands: uninstall, execute commands, upload and download files, create and remove directories, rename files, and list directory contents. It is important to clarify that this Beagle is distinct from the Delphi-based Beagle/Bagle worm from 2004.

The researchers explain that NOVupdate.exe is actually a signed updater for G Data security solutions. The attacker exploits this legitimate binary to sideload the malicious avk.dll and the encrypted NOVupdate.exe.dat file. This technique of sideloading a DLL and an encrypted file using a G Data signed executable has been previously linked to PlugX activity. The DLL’s role is to decrypt and execute the payload inside NOVupdate.exe.dat in memory, which is the open-source injector DonutLoader. Sophos had previously spotted Donut in 2024 attacks targeting government organizations in Southeast Asia.

In this campaign, Donut deploys the final Beagle backdoor directly into system memory to evade detection. The backdoor communicates with its command-and-control (C2) server at ‘license[.]claude-pro[.]com’ using TCP on port 443 or UDP on port 8080, with a hardcoded AES key protecting the traffic. The C2 server is hosted at IP address 8.217.190[.]58, which Malwarebytes researchers say falls within a range associated with Alibaba-Cloud.

Further investigation by Sophos uncovered additional Beagle samples submitted to VirusTotal between February and April this year. These samples used the same XOR decryption key but infected machines through different attack chains. These included abusing Microsoft Defender binaries, deploying AdaptixC2 shellcode with a decoy PDF, and impersonating update sites from security vendors like CrowdStrike, SentinelOne, and Trellix.

While Sophos could not confidently attribute the campaign to a specific threat actor, the researchers suggest that the same operators behind PlugX may be experimenting with a new payload. To protect against this threat, users should only download Claude from the official website and avoid or hide sponsored search results. The presence of NOVupdate files on a system is a strong indicator of compromise.