As public interest in artificial intelligence continues to peak in 2026, cybercriminals are shifting their lures to match. Sophos X-Ops researchers have uncovered a highly sophisticated malvertising campaign that uses a convincing clone of Anthropic’s Claude AI website to distribute a brand-new malware strain.
The campaign, which mirrors the complex techniques typically reserved for state-sponsored espionage, utilizes a “PlugX-style” infection chain to deploy a previously undocumented backdoor dubbed “Beagle.”
The Lure: Malvertising and SEO Poisoning
The attack begins with a search. Threat actors use SEO poisoning and paid search engine advertisements to place a malicious domain—claude-pro[.]com—at the top of search results.
The site is a near-perfect visual replica of the official Anthropic page, offering a high-performance download called “Claude-Pro Relay.” In reality, this 500MB ZIP archive contains a malicious Windows installer (Claude.msi) designed to grant attackers persistent, remote access to the victim’s machine.
The Technical Chain: Abusing Trusted Software
What makes this campaign particularly dangerous is its use of DLL sideloading, a technique that tricks legitimate software into running malicious code.
- The Host: The installer drops
NOVupdate.exe, a legitimate, digitally signed updater from G DATA Antivirus. - The Swap: It also drops a malicious file named
avk.dll. In a clean environment, the G DATA updater requires a real version of this file; here, it is tricked into loading the attacker’s version. - The Decryption: Once loaded,
avk.dlluses a hardcoded XOR key to decrypt a hidden data file (NOVupdate.exe.dat). - In-Memory Execution: The decrypted content is DonutLoader shellcode, which runs entirely in the system’s memory to evade detection from traditional antivirus tools that scan files on the disk.
The “Beagle” Backdoor and C2 Infrastructure
The final payload of this chain is the Beagle backdoor. Unlike the older PlugX malware it mimics in structure, Beagle is a fresh, modern threat.
Once active, Beagle establishes an encrypted connection to a command-and-control (C2) server at license[.]claude-pro[.]com. It uses a hardcoded AES key (beagle_default_secret_key_12345!) to secure its communications.
Attacker Capabilities with Beagle:
- File Management: Uploading and downloading sensitive documents.
- Remote Execution: Running arbitrary commands via the Windows command prompt.
- Directory Control: Creating, deleting, or modifying folders to hide further malicious tools.
Indicators of Compromise (IoCs)
Security teams should monitor for the following markers within their networks:
| Type | Indicator | Description |
| Domain | claude-pro[.]com | Fake Claude website |
| Domain | license[.]claude-pro[.]com | Beagle C2 Server |
| File Name | NOVupdate.exe | Legitimate G DATA host (Misused) |
| File Name | avk.dll | Malicious sideloaded DLL |
| File Name | NOVupdate.exe.dat | Encrypted DonutLoader payload |
| IP Address | 8.217.190.58 | Associated with Beagle C2 |
How to Stay Protected
This campaign serves as a reminder that “sponsored” results on search engines are not always safe. To protect your organization:
- Official Sources Only: Only download AI tools directly from official domains (e.g.,
anthropic.comorchatgpt.com). - Check Startup Folders: Inspect
shell:startupfor unusual files likeNOVupdate.exeoravk.dll. - Endpoint Monitoring: Use EDR (Endpoint Detection and Response) tools that can detect DLL Sideloading and suspicious in-memory shellcode execution.
