Who is happened
Sophos X-Ops researchers have documented an active malvertising campaign using a fake Claude AI website to distribute a previously undocumented Windows backdoor named Beagle. The malicious domain claude-pro[.]com impersonates Anthropic’s Claude interface using similar colors and fonts, but with non-functional links that redirect to the front page. The only working element is a download button for a 505MB archive named Claude-Pro-windows-x64.zip, promoted as a high-performance relay service for Claude Code developers.
The campaign was initially discovered by Malwarebytes and reaches victims through Google sponsored search results and SEO poisoning. The downloaded archive contains an MSI installer that drops three files into the Windows Startup folder: NOVupdate.exe, a legitimately signed G Data antivirus updater; avk.dll, a malicious DLL; and an encrypted data file named NOVupdate.exe.dat. The attack uses DLL sideloading to abuse the trusted G Data binary into loading the malicious DLL, which executes an in-memory DonutLoader that fetches the Beagle backdoor.
Beagle supports eight commands covering shell execution via CMD and PowerShell, file upload and download, directory listing, folder creation, file renaming, directory deletion, and self-removal. It communicates with a command-and-control server at license[.]claude-pro[.]com over TCP port 443 or UDP port 8080, encrypting traffic with a hardcoded AES key. The installed Claude application functions normally, concealing the compromise from users. Sophos found related samples from February through April 2026 using the same decryption key, and the operators were observed switching bulk email providers from Kingmailer to CampaignLark in April to stay ahead of blocklists. The same sideloading chain has been linked to PlugX activity, though Sophos could not confirm attribution. Related campaign variants also used lures impersonating CrowdStrike, SentinelOne, Trellix, and Microsoft Defender.
Who is affected
Software developers are the primary target, given the campaign’s framing of Claude-Pro Relay as a developer tool for Claude Code. Any Windows user who downloaded the fake installer through a sponsored search result or malvertising link may be compromised. The presence of NOVupdate files in the Startup folder is a confirmed indicator of compromise.
Why CISOs should care
This campaign exploits the rapid adoption of AI development tools in enterprise environments. Developers searching for Claude-related tooling through search engines can be served malicious sponsored results that lead to a functional-looking installer, making the lure particularly effective against technical users who might otherwise scrutinize downloads carefully. The use of a legitimate, signed antivirus binary for DLL sideloading also means the malicious code executes under the cover of a trusted process, complicating detection for endpoint security tools.
The campaign’s longevity, active since at least February 2026 with infrastructure rotation to evade blocklists, indicates a persistent and operationally sophisticated threat actor rather than an opportunistic one-time campaign.
3 practical actions
- Block claude-pro[.]com and license[.]claude-pro[.]com at the DNS and network perimeter level: These are the confirmed malicious domains used for both the fake download site and Beagle’s command-and-control infrastructure. Add both to blocklists immediately and alert on any existing outbound connections to these domains.
- Hunt for NOVupdate.exe and avk.dll in Windows Startup folders across managed endpoints: The presence of NOVupdate files in the Startup directory is a strong indicator of compromise from this campaign. Run an immediate sweep across managed Windows endpoints and investigate any matches as confirmed infections requiring remediation.
- Enforce organizational policies against downloading AI tools through sponsored search results: Brief developer teams on the risk of malvertising targeting AI development tools and establish a policy requiring downloads of Claude, Cursor, and similar AI tooling only from verified official domains, with sponsored search results treated as untrusted sources regardless of their apparent legitimacy.​​​​​​​​​​​​​​​​
Also in the news today:
- NVIDIA Confirms GeForce NOW Data Breach Affecting Armenian Regional Partner
- Zara Data Breach Exposed Personal Information of 197,000 People
- Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks
- Australia Warns of ClickFix Attacks Pushing Vidar Stealer Malware
- Polish Intelligence Warns Hackers Attacked Water Treatment Control Systems
- New TCLBanker Malware Self-Spreads Over WhatsApp and Outlook
