Hackers Use Fake Claude AI Download to Deploy New Beagle Malware on Windows

A fake Claude AI website is being used to spread a previously undocumented Windows backdoor called Beagle. The campaign impersonates Claude through a malicious claude-pro[.]com domain and promotes a bogus “Claude-Pro Relay” download aimed at developers.

As Bleeping Computer writes, the fake site advertises the tool as software for “Claude-Code,” but the download installs malware in the background. The 505MB ZIP file, named Claude-Pro-windows-x64.zip, includes an MSI installer that appears to work normally while deploying the backdoor silently.

The fake Claude installer hides malware in the background

Once installed, the malware drops several files into the Windows Startup folder, including NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. This allows the malware to maintain persistence after reboot.

The attack also abuses a signed G Data updater to sideload the malicious DLL. This technique helps the malware run under the cover of a trusted binary and makes detection harder for security tools.

Beagle uses in-memory execution to avoid detection

The infection chain starts with DonutLoader, an in-memory injector used to launch the next-stage payload without writing it directly to disk. The final payload is Beagle, a new Windows backdoor with a limited but dangerous command set.

Beagle can execute CMD and PowerShell commands, upload and download files, list directories, create folders, rename files, delete directories, and maintain remote access to an infected system.

The malware also uses encrypted payloads, encrypted command-and-control traffic, anti-analysis checks, and anti-VM protections. These features suggest the operators designed the campaign to avoid researchers and automated sandboxes.

The campaign shows links to PlugX-style activity

Although attribution has not been confirmed, the tradecraft overlaps with PlugX-linked campaigns. Researchers also found related samples from February through April that use the same decryption key.

The wider campaign appears to test different lures, including fake updates for CrowdStrike, SentinelOne, Trellix, and Microsoft Defender. Some related attacks also used decoy PDFs and shellcode loaders.

The fake Claude malware communicates with license[.]claude-pro[.]com over TCP 443 and/or UDP 8080. The traffic is AES-encrypted, while the infrastructure is tied to an Alibaba Cloud IP range.

Users should avoid unofficial AI tool downloads

This is not the first time attackers have abused interest in Claude to spread malware. Last month, threat actors used a Claude Code leak as a lure to distribute malware through GitHub.

Users should download AI tools only from official websites and avoid sponsored search results for installers. Security teams should also monitor Startup folders for NOVupdate-related files and investigate suspicious outbound traffic to the fake Claude domain.

In other security news, CloudZ RAT can steal one-time passwords through Phone Link, while hackers have also used Microsoft Teams in espionage campaigns that are likely state-sponsored.