Emerging Threat: Hackers Exploit Fake AI Download Site to Deploy Beagle Backdoor
Recent investigations reveal that malicious actors are taking advantage of a counterfeit Claude AI download website to execute sophisticated cyber-attacks. The site, masquerading as a legitimate platform for Anthropic’s Claude AI, is being utilized to deliver a malicious DLL sideloading chain reminiscent of existing PlugX malware techniques. The ultimate objective is to deploy a newly identified backdoor known as “Beagle.”
The operation incorporates various deceptive methods, including malvertising, trojanized installers, and components of signed security software. These techniques work in tandem to ensure the attackers maintain stealth and achieve remote control over affected systems. By mimicking the user interface of Anthropic’s authentic Claude platform, the newly registered website, claude-pro[.]com, presents visitors with only a few basic links and a prominent option to download a fictitious tool named “Claude-Pro Relay.”
Victims are largely directed to this malicious site through a combination of malicious advertisements and search-engine poisoning. This method has become increasingly prevalent in recent AI-themed malware campaigns, where unsuspecting users are lured into downloading compromised software. The security firm Sophos X-Ops has been actively investigating reports surrounding the fake Claude AI website, further emphasizing the urgency of this evolving threat.
Upon execution, the installer from the fake site drops three files into the user’s Startup folder: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. This ensures that the malicious chain of execution automatically reactivates each time the user logs into their system. Interestingly, NOVupdate.exe is a legitimate updater component from G DATA antivirus products, typically used to load avk.dll from its directory. However, the attackers exploit this functionality by placing a malicious version of avk.dll alongside it, leveraging a well-known DLL sideloading technique associated with PlugX and other advanced malware families.
Once NOVupdate.exe runs, it loads the compromised avk.dll, which subsequently reads and decrypts the contents of the NOVupdate.exe.dat file using a hard-coded key. This decryption process reveals a shellcode that is executed in memory, an approach consistent with previous PlugX operations that involve a combination of a signed executable, a deceptive DLL, and an encrypted payload.
The decrypted shellcode is identified as DonutLoader, an open-source in-memory loader designed to inject .NET and Portable Executable (PE) payloads directly into memory, thus avoiding the need to write additional files to disk. The download from the malicious site is a sizable Windows archive, specifically Claude-Pro-windows-x64.zip, weighing in at around 505 MB and housing an MSI installer named Claude.msi. Within this setup, DonutLoader deploys the previously undocumented Beagle backdoor.
Beagle boasts a suite of commands that allow the attackers to perform several actions, including self-uninstallation, execution of arbitrary commands, file uploads and downloads, as well as the manipulation of directories and files. Communication with the command-and-control (C2) server, hosted at license[.]claude-pro[.]com, occurs over both TCP port 443 and UDP port 8080. Remarkably, this communication is encrypted with AES, incorporating hard-coded keys and utilizing a unique initialization vector for each packet to bolster its security measures.
Sophos researchers uncovered additional infrastructure linked to this malicious site, revealing its integration with Cloudflare and identifying an associated origin server with an IP address that points to suspect operational mismanagement by the threat actor. Further analysis led to the discovery of another IP address hosting an unrelated website, vertextrust-advisors[.]com, which presents itself as a legal advisory service but lacks a clear legitimate purpose, potentially tying it to the same group behind this campaign.
The threat landscape surrounding this fraudulent Claude site becomes even more concerning given that Sophos has identified several malware samples on VirusTotal that re-use the same XOR key and DLL sideloading pattern, depicting the attackers as part of a well-coordinated operation that evolves its toolkit while changing the final payloads to fit various deceitful narratives.
Organizations must implement robust measures to safeguard against such threats. Downloading AI tools from unofficial or third-party sites should be classified as high-risk, with strong policies directing users to obtain software exclusively from official vendor domains. Security teams are encouraged to monitor for unusual activity involving signed G DATA executables that load non-standard files or exhibit encrypted outbound traffic indicative of Beagle’s operation. Additionally, stringent measures involving the filtering of sponsored search results and enhancing ad-based browsing policies can significantly reduce exposure to these kinds of sophisticated cyber threats.
In a digital landscape increasingly characterized by complex cyber threats, staying informed and vigilant is imperative for all users and organizations alike.