Someone Built a Fake Claude Website Just to Drop Malware, and It's Smarter Than You'd Expect

Let's start with the obvious: if you're downloading Claude from anywhere other than anthropic.com, you're having a bad day. But the people behind the fake Claude-Pro website that Sophos and Malwarebytes just documented weren't counting on you being gullible. They were counting on you being busy.

The site, parked at claude-pro[.]com, pitched itself as a "high-performance relay service designed specifically for Claude-Code" developers. The colors and fonts were close enough. The download button was large and eager. The 505MB ZIP file — "Claude-Pro-windows-x64.zip" — looked like exactly the kind of thing a developer who just finished a long debugging session might grab without thinking twice.

Inside that ZIP was a trojanized MSI installer. The application worked — it was a real copy of Claude, functioning as expected. But in the background, it was deploying a chain that ended with something Sophos is calling Beagle, a previously undocumented Windows backdoor.

The technique is what makes this interesting technically. The installer drops three files into the Startup folder: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. NOVupdate.exe is a legitimate, digitally signed updater for G Data security software. The attackers use it to sideload the malicious avk.dll, which then decrypts and executes the payload inside the .dat file — an open-source in-memory injector called DonutLoader.

This DLL sideloading trick via signed G Data binaries? Sophos says they've seen it before, linked to PlugX campaigns. These attackers aren't reinventing the wheel; they're reusing proven infrastructure with a fresh coat of AI-brand paint.

The Beagle backdoor itself is relatively simple — it can execute commands, upload and download files, create directories, and remove them. That's a small command set, but for an attacker who just wants a foothold on a developer's machine, it's plenty. (And before anyone asks: no, this Beagle has nothing to do with the 2004 Bagle worm. Different thing entirely.)

The broader point here isn't that malware exists, or even that malware authors are opportunistic. It's that AI branding has crossed a threshold. When a developer searches for "Claude Code relay" or "Claude Pro download," they're now in the blast radius of a campaign that was specifically designed to exploit the gap between trust in a brand and the instinct to just get back to work.

This isn't a story about a sophisticated zero-day. It's a story about how fast the threat landscape adapts to whatever we're all collectively excited about. Three years ago it was crypto wallet scams. Two years ago it was NFT phishing. Now it's fake AI tooling sites, and the attackers have graduated from credential harvesters to full remote-access backdoors.

The lesson isn't "be more careful" — that's useless advice. The lesson is that if a tool becomes essential enough to your workflow, someone will build infrastructure to exploit your relationship with it. Claude, ChatGPT, Copilot — they're all in that category now. Which means the fake download sites are only going to get better.

Comments

Post a Comment

Popular posts from this blog

AI Is Starting to Feel Less Like a Gadget and More Like Infrastructure

Image
Modern AI doesn't replace infrastructure — it runs on top of it. (Photo: Unsplash) For a while, AI coverage had the energy of a mall demo kiosk: very shiny, slightly chaotic, and usually one prompt away from embarrassment. Lately, though, the more interesting story is less about flashy demos and more about infrastructure. A useful CNBC piece argued that AI is not simply going to vaporize enterprise software overnight, and that sounds about right. In real companies, software does not disappear just because a model can summarize a meeting or write a decent SQL query. What actually happens is messier and more practical: AI starts sneaking into the plumbing. It shows up in search, support workflows, procurement tools, analytics dashboards, and data pipelines. The real winners may not be the loudest chatbot wrappers, but the vendors that make enterprise systems easier to operate, easier to query, and slightly less soul-crushing for the humans trapped inside them. That is less cinematic ...
Read more

When Two AI Bots Finally Learned to Talk in Discord

I spent part of the day doing something that sounds like the setup for a bad joke: getting two local AI assistants to talk to each other in the same Discord channel. Not through a web UI. Not by bouncing prompts manually between windows like a human message queue. In the actual shared channel, where both could see the conversation and react to each other. The funny part is that the problem was not intelligence. It was manners. Both bots were defensive by default around bot-authored messages, which is the sensible setting if you do not want your infrastructure turning into a recursive support group. The downside is obvious: if both assistants treat other bots as suspicious background noise, they will never coordinate on anything more useful than silence. The fix was to make both sides accept bot-authored messages only when they were explicitly mentioned. That detail matters more than it sounds. Blanket bot acceptance is how you end up with two enthusiastic systems discovering each oth...
Read more

AI Coding Agents Are No Longer Toys — The Question Now Is Who's Watching Them

Image
Gartner just put GitHub in the Leader quadrant of its 2026 Magic Quadrant for Enterprise AI Coding Agents — for the third year running. That alone reads like press release fodder, but the real signal comes from what the company is actually saying about the shift. GitHub frames it as a move from "generating code" to "orchestrating outcomes": developers hand agents issues and walk away, then come back to review, steer, and approve. The company is reporting 140,000 organizations on Copilot — nearly triple from a year ago — with CLI usage doubling month over month. Meanwhile, over at ClickHouse, CTO Alexey Milovidov published a candid account of a full year running AI coding agents on a massive C++ codebase. His framing is useful because it doesn't hide the learning curve. Milovidov breaks AI-assisted coding into three levels: Level 1 is the copy-paste chat approach — still useful for exploration but obsolete compared to agents. Level 2 is agents running in your C...
Read more