Threat actors are exploiting the surging popularity of Anthropic’s Claude AI assistant to distribute PlugX malware through a convincing fake download site, researchers have discovered.
The campaign leverages a sophisticated DLL sideloading technique that keeps the legitimate Claude application fully functional in the foreground while silently establishing remote access to the victim’s machine.
Claude’s rapid growth of nearly 290 million web visits per month has made it an attractive social engineering lure, and this campaign demonstrates how seamlessly attackers can blend malicious activity behind a trusted brand.
Fake Site and Infrastructure
The fraudulent site presents itself as an official download page for a “Pro” version of Claude, offering visitors a file named Claude-Pro-windows-x64.zip.
Passive DNS records reveal the domain is equipped with active mail-sending infrastructure, with MX records pointing to two commercial bulk-email platforms: Kingmailer (last observed March 28, 2026) and CampaignLark (observed from April 5, 2026).
The rotation between providers indicates the operators are actively maintaining their distribution capability, suggesting an ongoing, managed campaign rather than a one-off effort.
The ZIP archive contains an MSI installer that drops files into C:\Program Files (x86)\Anthropic\Claude\Cluade\ a path intentionally crafted to mimic a legitimate Anthropic installation.
The misspelling “Cluade” is a telling red flag, though most users would never inspect their installation directory. The installer even references Squirrel, the update framework used by real Electron-based applications like Claude, adding another layer of legitimacy to the deception.
Multi-Stage Infection Chain
Once executed, the installer places a Desktop shortcut Claude AI.lnk pointing to a VBScript dropper inside the SquirrelTemp directory.
When the victim clicks the shortcut, the VBScript locates and launches the real Claude application in the foreground, ensuring the user sees a fully functioning AI assistant.
Meanwhile, the script creates a clean replacement shortcut pointing directly to claude.exe, then deletes itself. By the time the user is chatting with Claude, the dropper has already vanished from disk.
Behind the scenes, before deleting itself, the VBScript quietly copies three files from SquirrelTemp into the Windows Startup folder at C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\:
NOVUpdate.exe– a legitimately signed G DATA antivirus updateravk.dll– a malicious DLL substituted for a genuine G DATA componentNOVUpdate.exe.dat– an encrypted payload file
It then launches NOVUpdate.exe with a hidden window, so nothing appears on screen.
DLL Sideloading and PlugX Deployment
This is a textbook DLL sideloading attack, cataloged by MITRE ATT&CK as T1574.002. Because NOAate.exe is a legitimately signed security tool, it can bypass or complicate detection by endpoint security solutions that evaluate the parent process for trustworthiness.
When it executes, it loads avk.dll from its own directory, not the genuine G DATA library, but the attacker’s trojanized version, which reads and decrypts the payload stored in the .dat file.
This three-component sideloading triad a signed executable, a malicious DLL, and an encrypted data file is characteristic of the PlugX malware family, a remote access Trojan (RAT) tracked in espionage campaigns since at least 2008.
PlugX has historically been associated with operators linked to Chinese state interests, though its source code has circulated in underground forums, broadening the pool of potential actors. Attribution based on tooling alone is not definitive.
C2 Callback
Behavioral analysis in a sandbox environment confirmed the execution chain. WScript.exe was observed dropping NOVUpdate.exe and avk.dll into the Startup folder.
Just 22 seconds later, NOVUpdate.exe established its first outbound TCP connection to 8.217.190.58 on port 443, a callback repeated multiple times during the observation window. The IP falls within an Alibaba Cloud-associated address range, a hosting provider routinely abused for command-and-control infrastructure.
The sandbox also recorded modifications to HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, a registry path related to TCP/IP network configuration.
Anti-Forensic Self-Cleanup
The dropper employs deliberate anti-forensic measures. After deploying the payload, the VBScript writes a small batch file ~del.vbs.bat that waits for 2 seconds, then deletes itself and the original VBScript.
The entire malicious payload section is also wrapped in a On Error Resume Next statement, silently suppressing any errors to prevent alert dialogs that might tip off the victim or an analyst. The only persistent artifacts are the three sideloading files in the Startup folder and the running NOVUpdate.exe process.
This specific sideloading technique abuses G DATA’s avAside a legitimate G DATA executable and an XOR-encrypted payload were publicly documented by Lab52 in February 2026 in their report “PlugX Meeting Invitation via MSBuild and GDATA.”
That campaign used fake meeting invitations; this one exploits the popularity of AI tools. The payload filename has changed from AVKTray.dat to NOVUpdate.exe.dat, but the underlying mechanism is identical.
The rapid reuse of a technique documented just weeks earlier underscores how quickly threat actors adapt proven methods to timely lures.
How to Check If You’re Affected
If you’ve recently downloaded Claude from a source other than claude.com/download, check your system for these indicators:
- Look for
NOVUpdate.exe,avk.dll, orNOVUpdate.exe.datin your Windows Startup folder - Check for the misspelled directory
C:\Program Files (x86)\Anthropic\Claude\Cluade\ - Review firewall or proxy logs for outbound connections to
8.217.190.58on port 443 - Run a full system scan with updated anti-malware software
- Change passwords for any accounts accessed from the potentially affected machine, as PlugX variants can include keylogging and credential-theft capabilities
Always download Claude exclusively from claude.com/download and avoid links in emails, advertisements, or any site offering “Pro” or premium versions outside official channels.
| Artifact | Hash / Value |
|---|---|
| Claude-Pro-windows-x64.zip | 35FEEF0E6806C14F4CCDB4FCEFF8A5757956C50FB5EC9644DEDAE665304F9F96 |
| NOVUpdate.exe | be153ac4db95db7520049a4c1e5182be07d27d2c11088a2d768e931b9a981c7f |
| avk.dll | d5590802bf0926ac30d8e31c0911439c35aead82bf17771cfd1f9a785a7bf143 |
| NOVUpdate.exe.dat | 8ac88aeecd19d842729f000c6ab732261cb11dd15cdcbb2dd137dc768b2f12bc |
| C2 IP | 8.217.190.58:443 (TCP) |
FAQ
Q: What is PlugX malware? PlugX is a remote access Trojan used primarily in espionage campaigns since 2008, capable of keylogging, file theft, and persistent backdoor access to compromised systems.
Q: How does DLL sideloading bypass antivirus detection? It abuses a legitimately signed executable that loads a malicious DLL from the same directory, making the parent process appear trusted to security tools.
Q: How can I safely download Claude AI? Only download Claude from the official website at claude.com/download and avoid any third-party sites offering “Pro” or premium versions.
Q: Is Alibaba Cloud responsible for this attack? Threat actors abuse no-cloud providers like Alibaba Cloud to host command-and-control infrastructure, and the provider itself is not implicated in the malicious activity.
Site: thecybrdef.com
About the Author
