Fake Claude AI website delivers new 'Beagle' Windows malware
Source: Bleeping Computer
Overview
A fraudulent copy of the Claude AI website ( claude-pro[.]com ) offers a malicious “Claude‑Pro Relay” download. The 505 MB archive Claude‑Pro‑windows‑x64.zip contains an MSI installer that, when executed, installs a previously undocumented Windows backdoor named Beaver (also referred to as Beagle).
The fake site mimics the legitimate Claude LLM portal’s colors and fonts but all navigation links simply redirect to the front page. Researchers at Sophos and Malwarebytes identified the campaign in early 2026.
Indicators of Compromise
- Files added to the Startup folder:
NOVupdate.exeNOVupdate.exe.datavk.dll
- Presence of a signed G Data updater (
NOVupdate.exe) used to sideloadavk.dlland the encryptedNOVupdate.exe.dat. - Network traffic to C2 domain license[.]claude-pro[.]com over TCP 443 or UDP 8080.
- C2 IP address: 8.217.190[.]58 (associated with Alibaba‑Cloud).
Backdoor Capabilities
The Beagle backdoor supports a limited command set:
| Command | Description |
|---|---|
uninstall | Removes the agent |
cmd | Executes an arbitrary command |
upload | Uploads a file to the compromised host |
download | Downloads a file from the host |
mkdir | Creates a directory |
rename | Renames a file |
ls | Lists directory contents |
rm | Removes a directory or file |
Note: This backdoor is unrelated to the Delphi‑based Beagle/Bagle worm documented in 2004 (source).
Technical Details
- First‑stage payload:
DonutLoader(an open‑source in‑memory injector) fetched the Beagle backdoor. - Sideloading technique:
NOVupdate.exe(a legitimately signed G Data updater) loads the maliciousavv.dll, which decrypts and executes the payload stored inNOVupdate.exe.dat. - Encryption: Payloads are encrypted with a hard‑coded AES key; decryption occurs in memory to evade detection.
- Historical context: Sophos previously observed Donut‑based attacks in 2024 targeting Southeast Asian government entities (blog post).
Command‑and‑Control
- Domain:
license[.]claude-pro[.]com - IP:
8.217.190[.]58 - Ports: TCP 443, UDP 8080
- Protection: Communications are encrypted with a static AES key.
Additional samples submitted to VirusTotal (Feb–Apr 2026) used the same XOR decryption key but were delivered via varied attack chains (e.g., Microsoft Defender binaries, AdaptixC2 shellcode, decoy PDFs) and impersonated update sites of security vendors such as CrowdStrike, SentinelOne, and Trellix.
Mitigation
- Verify source: Download Claude software only from the official Anthropic portal.
- Inspect startup items: The presence of
NOVupdate.exe,NOVupdate.exe.dat, oravk.dllin the Startup folder is a strong indicator of compromise. - Network controls: Block outbound connections to
license[.]claude-pro[.]comand the IP8.217.190[.]58. - Endpoint protection: Ensure signatures are up‑to‑date and enable behavior‑based detection to catch in‑memory injection techniques like Donut.
- User awareness: Educate users to avoid sponsored search results and to scrutinize URLs that differ from the legitimate domain.
Fake Claude AI website – source: Sophos