Fake Website "Claude" Spreads New 'Beagle' Windows Malware

Post Views: 16

The Fake Claude AI Website Delivers New “Beagle” Windows Malware

Sophos researchers have identified a fake version of the Claude AI website that offers a malicious “Claude-Pro” relay service designed for developers who work with Claude code.

How it Works

The fake website mimics the legitimate site, using similar colors and fonts, but its links redirect to the front page. Users who land on claude-pro[.]com without noticing the deception can only interact with a large button.

According to Sophos researchers, “Upon further inspection, Sophos researchers discovered that running the binary downloaded from the fake website results in the addition of three files to the startup folder: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll.”

These files are part of a campaign initially discovered by Malwarebytes, which involves a trojanized copy of Claude that functions normally but deploys a PlugX malware chain in the background. This allows attackers to gain remote access to the system.

What is Beagle?

The first-stage payload is a relatively simple backdoor known as “Beagle.” This backdoor has a limited set of commands, including the ability to uninstall agents, execute commands, upload and download files, create directories, rename files, and list directory contents.

It is essential to note that this Beagle backdoor is distinct from the Delphi-based Beagle/Bagle worm documented in 2004.

NOVupdate.exe and avk.dll

NOVupdate.exe is a signed updater for G Data security solutions that hackers use to sideload the malicious avk.dll and the encrypted NOVupdate.exe.dat file. This method has previously been linked to PlugX activity.

The avk.dll is responsible for decrypting and executing in memory the payload within NOVupdate.exe.dat, which is the open-source in-memory injector DonutLoader.

DonutLoader

Sophos has spotted Donut before, in attacks targeting government organizations in Southeast Asia in 2024. In this instance, Donut deploys the final payload – the Beagle backdoor – into system memory to evade detection.

The Beagle backdoor communicates with its command-and-control server at license[.]claude-pro[.]com using TCP over port 443 and/or UDP over port 8080, while a hardcoded AES key protects the exchanges.

Other Related Samples

Sophos investigated further and found other samples related to Beagle that were submitted to VirusTotal between February and April this year. These samples used the same XOR decryption key for decryption but infected machines via different attack chains, including Microsoft Defender binaries, AdaptixC2 shellcode, and a decoy PDF.

They also impersonated update sites from multiple security vendors, such as CrowdStrike, SentinelOne, and Trellix.