Fake Claude AI website delivers new 'Beagle' Windows malware

Fake Claude AI Website Delivers New 'Beagle' Windows Malware

IntroductionA deceptive clone of the Claude AI website has emerged, promoting a malicious download package advertised as Claude-Pro Relay. Investigations by Sophos and Malwarebytes reveal that the apparent “Claude-Pro” installer is a trojanized copy designed to push a previously undocumented backdoor for Windows, named Beagle. The campaign is framed around a purported high-performance relay service intended for Claude-Code developers, but the façade unravels quickly once users attempt to engage with the site’s download flow. The fake page employs visuals and typography reminiscent of the legitimate Claude site, yet the links are nothing more than redirects to the front page, signaling the scam to careful observers.

How the Fake Site Operates

• The lure centers on a single prominent download button on the fake claude-pro site. Clicking this button leads to a 505MB archive named Claude-Pro-windows-x64.zip.
• Inside the archive sits an MSI installer that is alleged to install Claude-Pro Relay but actually initiates a multi-stage payload chain.
• The website domain used in the attack is designed to appear legitimate at a glance, but redirected links quickly reveal the deception.

The Payload Chain: From Initial Drop to Beagle

• Initial delivery: The executable payload is signed in a way that lends it an air of legitimacy, enabling it to sideload subsequent components while appearing to be a routine updater.
• First-stage payload: DonutLoader acts as the initial loader, fetching a backdoor payload that Sophos and Malwarebytes call Beagle. DonutLoader is an open-source in-memory injector known for delivering subsequent payloads without fully writing them to disk.
• Intermediate stage: The loader proceeds to bring in a signed updater that masquerades as a legitimate security updater. In this campaign, the updater process is used to sideload additional components, including an encrypted data file.
• Final payload: The Beagle backdoor is loaded into memory to establish command-and-control (C2) communication and to provide attackers with remote access capabilities.

The Beagle Backdoor: Capabilities and Commands

• Beagle is designed as a lightweight backdoor with a relatively small set of commands, emphasizing remote control and file management.
• Key commands include:
• uninstall: removes the agent from the system
• cmd: executes shell commands
• upload: transfers files to the infected machine
• download: retrieves files from the infected machine
• mkdir: creates directories
• rename: renames files
• ls: lists directory contents
• rm: removes files or directories
• The backdoor is loaded into memory to minimize persistence indicators and to evade some surface-level detection techniques.

The Command-and-Control Channel

• Beagle communicates with its C2 infrastructure through license.claude-pro.com using TCP over port 443 and UDP over port 8080.
• Exchanges are protected by a hardcoded AES key, adding a layer of encryption to the controller channel.
• The C2 infrastructure has been observed on an IP address in the Alibaba-Cloud range (8.217.190.58), suggesting a cloud-hosted hosting environment for the control server.
• This setup enables attackers to issue commands, obtain stolen data, or stage additional malicious actions remotely.

Additional Context on the Attack Chain

• The first-stage payload (DonutLoader) has a track record of delivering in-memory payloads that avoid straightforward on-disk detection.
• The specific DLL involved in the chain is avk.dll, which is loaded via a G Data-signed updater binary (NOVupdate.exe). This technique—sideloading a DLL through a signed file—has been linked in the past to other frameworks such as PlugX activity.
• The encrypted file NOVupdate.exe.dat contains the in-memory payload that DonutLoader decrypts and executes, enabling the final Beagle backdoor to run in memory.
• The Beagle variant observed in this campaign is distinct from the Delphi-based Beagle/Bagle worm documented in 2004, though researchers note stylistic or operational similarities in the use of backdoor functionality.

Broader Context and Sample Evolution

• Additional samples related to Beagle surfaced on VirusTotal between February and April of the current year, sharing the same XOR-based decryption key and Beagle payload characteristics.
• Infection chains vary across samples, with some relying on Microsoft Defender binaries, AdaptixC2 shellcode, or decoy PDFs to mislead defenders. Several samples impersonated update sites from well-known security vendors, broadening the deception surface.
• While attribution to a specific threat actor remains inconclusive, researchers point to overlapping operator techniques with those behind PlugX, suggesting that the same group or collaborator ecosystem may be experimenting with a new payload under the Beagle banner.

Indicators of Compromise and Artifacts to Watch For

• The presence of files named NOVupdate.exe, NOVupdate.exe.dat, and avk.dll on a Windows system, particularly in conjunction with unexpected startup entries.
• Startup folder entries involving NOVupdate.exe and related components.
• Network indicators such as traffic to license.claude-pro.com, especially over TCP port 443 or UDP port 8080.
• Hardcoded AES-based encryption in traffic between the infected host and the C2 server.
• Anomaly in DNS and IP resolution pointing to cloud-hosted services in Alibaba-Cloud ranges for C2 activity.
• Unusual behavior corresponding to the Beagle command set (e.g., unsolicited file uploads/downloads, remote command execution, and directory manipulation).

Attribution and Threat Landscape

• The Beagle backdoor appears to be linked, at least in style and technique, to operators associated with PlugX activity in past campaigns.
• The campaign leveraging a signed updater to sideload malicious components aligns with established multi-stage delivery patterns seen in other sophisticated campaigns.
• Researchers emphasize that while Beagle represents a new payload, the broader tactic—trompe-l’œil phishing-style landing pages, trojanized installers, and memory-resident backdoors—continues to be a favored approach for remote access campaigns.

Related Campaigns and Contextual Notes

• The fake Claude site and Claude-Pro Harvesting scheme are part of a broader pattern where threat actors imitate legitimate platforms to lure users into installing backdoors.
• Similar campaigns have leveraged decoys such as decoy PDFs or vendor-update lures to mask the true intent of the executable payloads.
• The convergence of multiple evasion techniques—signed binaries, in-memory payloads, and cloud-hosted C2—illustrates a maturing approach to covert access, emphasizing stealth and resilience.

ConclusionThe emergence of the Claude-Pro Relay deception underscores a persistent risk posed by clone sites and trojanized installers masquerading as legitimate software products. Beagle represents a compact yet capable backdoor that leverages multi-stage delivery, signed components, and memory-resident execution to maintain persistence and facilitate remote control. The campaign also illustrates how attackers blend familiar tools with new payloads to evade detection and expand their footholds across compromised systems. As defenders observe evolving techniques that reuse and extend known toolchains, vigilance around supply-chain-like delivery pages and suspicious installers remains essential for early detection and rapid containment.