07.05.2026
3 min
165
Cybercriminals have launched a fake Claude AI website to distribute a new Windows malware called Beagle. Victims are offered to download the supposedly official Claude-Pro Relay tool, but it also silently installs a remote access backdoor onto their computers.
Cybercriminals are distributing malware using a new Windows backdoor named Beagle that is distributed from a fake Claude AI web site. When victims go to this fake web site, it will tell them that there is an update available for “Claude-Pro Relay,” which is a supposed official product. Instead of installing updates, the malicious program is downloaded onto the user’s system giving cyber-criminals remote control to their computers.
According to attackers, the high performance relay service has been built with the developer in mind. As per the attackers, it was made to help Claude-code developers; the attackers describe the relay service as being developed by Claude-AI. However, as noted by researchers at Sophos, while trying to mimic the layout of the real Claude-AI Web Site (colors, fonts, etc.), the fake version quickly falls apart due to poorly done elements. For example, most all of the buttons and links on the fake web site take you back to the home page.
The victims of this fraud visit the “claude-pro[.].com” domain without realizing their URL has changed. These users then have only one way to get anything done, i.e., clicking the huge download button. After doing so, they will receive the “Claude-Pro-windows-x64.zip” (approximately 505 MB) zip file containing an MSI installer.
Sophos says that when users install the installer, three files (“NOVupdate.exe”, “NOVupdate.exe.dat”, and “avk.dll”) are installed into the victim’s computer and into the user’s windows startup folder.
Malwarebytes were the ones who noticed the campaign. Malwarebytes discovered that the “pro” version of Claude is a trojanized version of the original Claude application. While Claude works properly visually, it installs the PlugX malware chain. When the PlugX malware chain is installed, the attacker gains remote access to the compromised computer. Sophos later found that the first phase of the infection was caused by Donut Loader. Donut loader installs the new Beagle backdoor. The Beagle backdoor had not been publicly disclosed until now.
Researchers say that Beagle is a relatively simple backdoor with only some basic functionality. Using the Beagle backdoor, attackers can delete the malware, execute arbitrary commands, upload/download files, create folders/directories, rename files, and view directory contents. At the same time, Sophos emphasized that this Beagle is NOT the old Beagle/Bagle worm that was reported to exist in 2004.
As part of its research, Sophos discovered that the NOVupdate.exe file is a legitimate signed updater for G Data products. The attackers use this updater as a vector for a side-load attack. In other words, the attackers use the updater to pull down the malicious DLL library avk.dll and an encrypted file called NOVupdate.exe.dat.
Sophos also stated that the method of using a signed G Data file to download the DLL and encrypted payload was seen previously in conjunction with PlugX activity. avk.dll is responsible for decrypting and executing the payload from NOVupdate.exe.dat in memory. Inside NOVupdate.exe.dat is DonutLoader; however, in this case, Donutloader is operating as an open source memory injector. Sophos documented Donut being used in attacks against Southeast Asian Government Organizations in 2024.
DonutLoader executes Beagle directly in memory (RAM), making it difficult for AV software to identify the infection.
Beagle communicates with its C2 servers via the domain “license[.].claude-pro[.]com”. Beagle uses either TCP port 443 or UDP port 8080 for communication, and encryption is provided by a fixed AES key. Sophos also identified the location of the C2 server at IP address 8.217.190[.]58, which belongs to Alibaba Cloud. Researchers from Malwarebytes previously reported this same IP address.
Additionally during their investigation, Sophos located additional Beagle samples within VirusTotal, submitted between February-April of this year. All samples used the same XOR key for decryption. Each sample represented a separate attack path. Samples included fake Microsoft Defender files, as well as PDF decoys and/or AdaptixC2 shell code. Additionally, attackers simulated updates for various reputable security company websites such as CrowdStrike, SentinelOne and Trellix.
Although Sophos could not determine a particular operator at this point in time, researchers speculate that it could be individuals working with PlugX and who are presently testing out a new payload. Experts recommend users do not download Claude unless it comes from the official website and avoid clicking on sponsored search links. Users should consider any file named “NOVUPDATE” as evidence of potential exploitation.
