⚠️ Fake Claude AI! Trojan Risks Windows 🚨

CLAUDERELAY: A DEEP DIVE INTO A FAKE AI RELAY AND ITS MALICIOUS BACKDOOR
The cybersecurity firm Sophos has uncovered a sophisticated, albeit simplistic, phishing campaign targeting Claude-Code developers. The operation centers around a fake website, claude-pro[.]com, designed to mimic the legitimate Claude AI platform. This deceptive site offers a malicious download – a 505MB archive named ‘Claude-Pro-windows-x64.zip’ – containing an MSI installer for a purported “Claude-Pro Relay” service. Researchers determined that clicking the download button leads users to execute a trojanized version of Claude, which, while functioning as intended initially, secretly deploys a PlugX malware chain, granting attackers remote access to compromised systems. The initial discovery of this threat was made by Malwarebytes, who identified the ‘Pro’ installer as a malicious payload. This highlights the evolving tactics employed by cybercriminals to exploit popular AI tools and the importance of vigilance within the developer community.

THE BEAGLE BACKDOOR: A LAYERED ATTACK
Upon execution, the ‘Claude-Pro’ installer adds several files to the Windows Startup folder: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. Sophos’s investigation revealed that NOVupdate.exe is a signed updater for G Data security solutions, cleverly used to sideload the malicious avk.dll and the encrypted NOVupdate.exe.dat file. This technique – utilizing a legitimate security update mechanism to deliver malware – is a common tactic employed by attackers. The avk.dll acts as a decryption and in-memory execution engine for the payload within NOVupdate.exe.dat, which is the open-source DonutLoader injector. DonutLoader, previously identified by Sophos in attacks targeting Southeast Asian government organizations in 2024, is designed to evade detection by deploying the Beagle backdoor directly into system memory. The Beagle backdoor itself is a relatively simple command-and-control interface, offering commands such as uninstall, execute, upload, download, create directory, rename, list directory contents, and remove directory. Crucially, communication between the infected system and the attacker's command-and-control (C2) server occurs via TCP over port 443 and/or UDP over port 8080, protected by a hardcoded AES key. The C2 server’s IP address – 8.217.190[.]58 – is associated with the Alibaba-Cloud service, further suggesting the attacker's infrastructure.

MULTIPLE ATTACK CHANNELS AND MITIGATION STRATEGIES
Sophos discovered multiple samples related to the Beagle backdoor submitted to VirusTotal between February and April of this year, utilizing the same XOR decryption key. These samples employed diverse attack chains, including Microsoft Defender binaries, AdaptixC2 shellcode, and decoy PDF files, and impersonated update sites from multiple security vendors (CrowdStrike, SentinelOne, and Trellix). While Sophos couldn't definitively attribute the campaign to a specific threat actor, the researchers suspect operators behind the PlugX malware campaign are experimenting with this new payload. To mitigate this risk, users are advised to download Claude exclusively from the official portal and to scrutinize sponsored search results. The presence of ‘NOVupdate’ files on a system is a strong indicator of compromise. Furthermore, awareness of evolving attack techniques and proactive security measures are paramount in safeguarding AI development environments. Consider attending the Autonomous Validation Summit (May 12 & 14) to learn how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.