Fake Claude AI Site Drops Beagle Backdoor on Windows Users

A fraudulent imitation of Anthropic's Claude website has been used to distribute a previously undocumented backdoor named Beagle, deployed through a Dynamic Link Library (DLL) sideloading chain that abuses a signed antivirus updater binary. The malicious domain claude-pro[.]com presents a stripped-down imitation of the legitimate Claude interface and offers a fictitious tool called Claude-Pro Relay, served as an approximately 505 MB ZIP archive, according to new analysis by Sophos X-Ops. The researchers assessed that the site is part of an active malvertising campaign and traced the hosting infrastructure to a server set up in March 2026. PlugX-Style Chain Leads to Different Payload The downloaded archive contains an MSI installer that drops three files into the user's startup folder: a signed G DATA antivirus updater renamed NOVupdate.exe, an encrypted data file and a malicious DLL named avk.dll. When the legitimate updater executes, it sideloads the malicious DLL in place of its expected library. The DLL decrypts the data file using a reversed XOR key and runs the resulting shellcode, which loads DonutLoader, an open-source in-memory loader. Donut then deploys the final payload, the Beagle backdoor. Sophos initially suspected a PlugX variant given the combination of a G DATA-signed binary, an avk.dll sideload and an encrypted data file, all of which were linked to PlugX in a February 2026 Lab52 report.  The delivery of a different payload led researchers to consider that the threat actor may have retooled an established infection chain or imitated one used by another group. Read more on fake AI sites distributing malware: Cybercriminals Mimic Kling AI to Distribute Infostealer Malware Beagle Capabilities and Linked Samples Beagle is a relatively simple backdoor supporting eight commands covering shell execution, file transfer, directory listing and self-removal. It communicates with its command-and-control server at license[.]claude-pro[.]com over TCP port 443 or UDP port 8080, encrypting traffic with a hardcoded AES key. Sophos identified additional samples on VirusTotal sharing the same XOR key, dating back to February 2026. A March variant swapped the final payload for shellcode tied to AdaptixC2, an open-source red-teaming framework Sophos has previously observed in ransomware attacks. Other related samples used domains masquerading as updates for Trellix, CrowdStrike and SentinelOne. The campaign distributed malware through Cloudflare while hosting C2 infrastructure on Alibaba Cloud, a separation researchers said could complicate takedown efforts and signal a degree of operational continuity rather than a short-lived disposable campaign.