Fake Claude AI Website Delivers Beagle Backdoor Malware: What IT Teams Must Do Now

Photo by Arian Darvishi on Unsplash

Key Takeaways

• A fraudulent site at claude-pro[.]com distributes a 505MB trojanized installer that silently deploys the Beagle backdoor while launching a fully functional Claude interface to avoid suspicion.
• The attack uses DLL sideloading (a technique that tricks trusted Windows executables into loading malicious code) tied to the PlugX espionage malware family, active since at least 2008.
• The final Beagle payload runs entirely in memory using DonutLoader, making it nearly invisible to conventional antivirus software.
• AI-branded malware lures are among the fastest-growing delivery vectors in 2026, with attackers cycling through more than 25 software brands in a single campaign.

What Happened

Security researchers at Malwarebytes first uncovered, and Sophos subsequently analyzed in depth, a sophisticated attack campaign built around a fake Claude AI website. The fraudulent site, hosted at claude-pro[.]com, impersonates Anthropic's legitimate Claude AI platform and offers a malicious 505MB archive named Claude-Pro-windows-x64.zip. The download is pitched as a "high-performance relay service for Claude-Code developers," deliberately targeting software engineers who work with the real Claude Code tool daily.

When a victim runs the MSI installer, three files are silently dropped into the Windows Startup folder: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. This three-component combination is a classic DLL sideloading triad characteristic of the PlugX malware family, a toolkit that has been tracked in state-sponsored espionage campaigns since at least 2008. The installer deposits these files at C:\Program Files (x86)\Anthropic\Claude\Cluade\ — note the deliberate misspelling "Cluade" — closely mimicking the folder structure of a genuine Anthropic installation, even referencing Squirrel, the real update framework used by the legitimate Electron-based Claude desktop app. From the user's perspective, Malwarebytes analysts confirmed the trojanized installer "works as expected," fully launching a functional Claude interface while the malware chain runs invisibly in the background, a social-engineering trick designed to delay victim suspicion indefinitely.

The second-stage component is DonutLoader, an open-source in-memory injector previously identified in 2024 attacks targeting government organizations in Southeast Asia. DonutLoader decrypts and executes the final Beagle backdoor entirely in memory, leaving no payload file on disk for standard scanners to find. Beagle communicates with its command-and-control (C2) server at license[.]claude-pro[.]com via TCP port 443 and UDP port 8080, encrypting traffic with a hardcoded AES key. The C2 IP address, 8.217.190.58, is associated with Alibaba Cloud infrastructure. Sophos researchers also found additional Beagle samples submitted to VirusTotal between February and April 2026 that share the same XOR decryption key (a simple cipher that scrambles data using a repeated numeric pattern), strongly suggesting the campaign has been active and expanding for months.

Photo by Zulfugar Karimov on Unsplash

Why It Matters for Your Organization's Security

This attack is not a one-off — it is a glimpse into a highly industrialized threat ecosystem. Threat intelligence compiled in 2026 reveals that actors running AI-themed lure campaigns have cycled through more than 25 distinct software brands, producing 38 distinct compressed archives across 22 unique payload variants. This level of systematic rotation is designed specifically to outpace blocklists, burn through detection signatures, and keep security teams perpetually reactive rather than proactive.

The scale of the broader malware landscape adds important context for data protection planning. As of early 2026, the total number of distinct malware programs in circulation has surpassed 1.3 billion, with AI-branded lures representing one of the fastest-growing delivery vectors. When attackers weaponize a trusted brand like Claude — used by millions of developers and business professionals — the potential victim pool spans virtually every industry sector.

What makes this campaign especially dangerous from a cybersecurity best practices standpoint is its multi-layered deception. Sophos researchers describe Beagle as "a relatively simple backdoor" with a limited command set, but emphasize that its use of in-memory execution via DonutLoader and hardcoded AES encryption makes it "notably evasive against conventional endpoint detection." In practical terms, your standard antivirus solution may report a clean machine while an attacker maintains persistent, encrypted access over a port that blends in with everyday HTTPS web traffic.

The social engineering dimension compounds the risk enormously for small and mid-sized organizations. Because the installer delivers a working Claude interface, an employee who downloads the fake software has no obvious trigger to raise a security alert. By the time IT discovers the infection through network anomalies or a periodic audit, threat actors may have had days or weeks of unrestricted access to internal systems, credentials, and sensitive data. This is precisely why a well-rehearsed incident response plan — predefined, documented steps your team executes the moment a compromise is suspected — is not a luxury but a baseline requirement for any organization whose employees download software from the internet.

The misspelled installation path (Cluade instead of Claude) is a concrete, detectable red flag — but only for teams actively looking for it. Strong cybersecurity best practices, including enforced download policies, DNS filtering, and regular endpoint audits, remain your most reliable first line of defense. Equally important is cultivating security awareness across your workforce: a developer who knows to verify the official Anthropic domain (claude.ai) before installing any Claude-branded utility can break this entire attack chain before it begins.

Photo by Jo Lin on Unsplash

The AI Angle

Building on the social engineering tactics described above, it is worth noting that the timing of AI-themed attacks is never accidental. Trend Micro researchers documented that "within 24 hours of the attention around the Claude Code source leak, threat actors distributed Vidar stealer and GhostSocks proxy malware through fake leaked Claude Code GitHub repositories." Attackers monitor AI news cycles in real time and deploy lures within hours of major announcements, exploiting the brief window when developer curiosity is at its peak and security awareness may be at its lowest.

Ironically, AI is both the bait and a critical component of the defense. Security platforms like Sophos Intercept X and CrowdStrike Falcon use behavioral AI engines to flag anomalous process behavior — such as a freshly installed application immediately sideloading DLLs from the Windows Startup folder — even before a malware signature exists. Threat intelligence feeds from providers like Recorded Future or Microsoft Sentinel can surface newly registered lookalike domains such as claude-pro[.]com before your employees ever encounter them. Deploying AI-driven EDR (Endpoint Detection and Response) tools capable of detecting fileless malware (malware that executes entirely in RAM and writes nothing to disk) raises the cost and complexity of attacks like this significantly, and should be a cornerstone of any modern data protection strategy.

What Should You Do? 3 Action Steps

1. Lock Down Software Download Sources and Block Known Indicators

Establish and enforce a written policy requiring that all AI development tools be downloaded exclusively from official vendor domains — for Claude, that means claude.ai or Anthropic's verified GitHub repository only. Use a DNS filtering solution such as Cisco Umbrella or Cloudflare Gateway to automatically block access to newly registered lookalike domains. Add claude-pro[.]com and its subdomain license[.]claude-pro[.]com to your blocklists immediately, and block the C2 IP address 8.217.190.58 at your perimeter firewall. These are foundational cybersecurity best practices that cost little to implement and stop this specific campaign cold.

2. Deploy Behavioral Endpoint Detection for Fileless Threats

Standard signature-based antivirus will not catch Beagle because it never writes a payload file to disk. Upgrade or supplement your endpoint protection with a modern EDR platform that monitors behavioral indicators — specifically DLL sideloading events originating from Startup folders, and in-memory shellcode injection patterns consistent with DonutLoader. As part of your incident response readiness, audit the Windows Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) across your entire device fleet for unexpected executables and DLL files, and establish a clean baseline so future anomalies are immediately visible.

3. Run Targeted Security Awareness Training on AI-Branded Lures

Brief your development, IT, and operations teams specifically on AI-branded malware campaigns. Key training points: always verify the exact URL before downloading any AI tool ("claude-pro" versus "claude.ai" is a clear giveaway); treat unsolicited offers of "relay services" or "developer utilities" for popular AI platforms as high-risk; report any installer that requests elevated administrator permissions unexpectedly. Reinforce this training with a threat intelligence subscription that surfaces active AI-lure campaigns targeting your industry, and schedule a quarterly tabletop exercise to validate your incident response procedures against scenarios like this one. Security awareness is the last line of defense when every technical control has been bypassed.

Frequently Asked Questions

How can I tell if I accidentally downloaded the fake Claude AI installer from claude-pro[.]com?

Check your file system for the directory path C:\Program Files (x86)\Anthropic\Claude\Cluade\ — the misspelling "Cluade" (not "Claude") is a definitive forensic indicator of the malicious installer. Also inspect your Windows Startup folder for three files: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. If you find any of these, disconnect the machine from the network immediately and initiate your incident response process. Do not simply delete the files and move on — a proper forensic review is required to determine whether Beagle established persistence or exfiltrated data, and to assess your data protection obligations under applicable regulations.

What makes the Beagle backdoor malware so difficult to detect with standard antivirus tools?

Beagle is delivered via DonutLoader, an in-memory injector that decrypts and executes the final payload entirely within RAM, never writing it to disk. Because traditional antivirus tools primarily scan files stored on the hard drive, they find nothing to flag. Once active, Beagle's network traffic is encrypted with a hardcoded AES key and transmitted over TCP port 443 — the same port used by normal HTTPS web browsing — causing it to blend seamlessly with legitimate traffic. Additionally, Sophos researchers found samples from February through April 2026 sharing the same XOR decryption key, confirming an ongoing, consistent operation. Detecting this threat requires behavioral monitoring capabilities, which is why EDR solutions and advanced threat intelligence are essential components of a modern security stack.

How do cybercriminals use fake AI software websites to spread malware and how widespread is this tactic in 2026?

Attackers register domain names that closely mimic legitimate AI platforms — such as claude-pro[.]com mimicking claude.ai — then promote fake downloads through search engine ads, developer forums, social media, and direct phishing messages. Threat intelligence tracking in 2026 shows that campaigns of this type have cycled through more than 25 distinct software brands, generating 38 distinct compressed archives and 22 unique payload variants in a single coordinated operation. AI-branded lures are now among the fastest-growing malware delivery vectors, leveraging the high trust developers place in tools like Claude, GitHub Copilot, and ChatGPT. With the total number of distinct malware programs in circulation exceeding 1.3 billion, the barrier to launching a convincing AI-themed lure campaign has never been lower for threat actors.

What incident response steps should a small business take if an employee installs malware disguised as an AI developer tool?

Move quickly and methodically: (1) Isolate the affected device immediately by disconnecting it from all networks — wired, Wi-Fi, and VPN — to halt any active data exfiltration. (2) Preserve evidence by imaging the disk before remediation, as forensic data may be required for legal, regulatory, or insurance purposes. (3) Reset credentials for every account the user accessed on that machine, prioritizing cloud services, code repositories, email, and administrative systems. (4) Review your network and firewall logs for outbound connections to 8.217.190.58 or unusual DNS queries involving claude-pro[.]com and its subdomains. (5) Assess your data protection obligations — depending on your jurisdiction and the nature of any accessed data, breach notification may be legally required. (6) Conduct a post-incident security awareness debrief with the affected employee and broader team to prevent recurrence.

What cybersecurity best practices protect software developers from AI-branded malware lure campaigns?

A layered defense combining technical controls with strong security awareness is most effective. Always download AI developer tools directly from the official vendor website — for Claude, that is claude.ai or Anthropic's verified GitHub. Enable DNS filtering to automatically block lookalike domains before employees can visit them. Require multi-factor authentication (MFA) on all developer accounts so that stolen credentials cannot be immediately reused by attackers who gain backdoor access. Deploy an EDR solution with behavioral detection to catch fileless malware that bypasses signature-based tools. Subscribe to a threat intelligence service that tracks active AI-lure campaigns and provides fresh indicators of compromise (IOCs) — specific file hashes, IP addresses, and domain names associated with known attacks — so your defenses stay current. Finally, test your incident response plan at least twice per year with realistic AI-themed attack scenarios, because practiced procedures save critical time when a real incident occurs.

Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs.