Hackers are using AI popularity to trick people into installing malware. According to new research from Sophos X-Ops, shared with Hackread.com, a fake website designed to look like Anthropic’s Claude AI has been discovered spreading a previously unknown backdoor.
The deception starts with a malicious domain called claude-pro.com. Using malvertising (ads showing malicious links on real websites) and SEO poisoning (manipulating search engine results to increase a site’s ranking) to reach victims. To a normal user, it looked like a legitimate platform to get AI tools. However, it was actually a trap.
How the infection happens
When a visitor clicks the download link for a supposed Claude-Pro Relay tool, they receive a file named Claude-Pro-windows-x64.zip. Inside this file is an MSI installer ‘Claude.msi,’ which drops three specific files into the computer’s startup folder: NOVupdate.exe, avk.dll, and an encrypted data file called NOVupdate.exe.dat.
What makes this entire attack unusual is that NOVupdate.exe is a real, signed file from G DATA antivirus. The hackers used a technique called DLL sideloading to trick this genuine file into loading their malicious avk.dll. Further investigation revealed that this process eventually runs an in-memory Donut loader (or DonutLoader).
Meet the Beagle backdoor
While the setup looked like older attacks using PlugX or ShadowPad, researchers found the final payload was something new. They have dubbed this malware Beagle, which is a backdoor.
According to researchers, the malware can run commands, move files, and manage directories using instructions like upload, download, cmd, and ls. It communicates to a command-and-control server at license.claude-pro.com using a hardcoded key: beagle_default_secret_key_12345!.
A wider campaign
The timeline shows this group has been active for months. The main server was set up in March 2026, but Sophos found other samples from February and April. Further investigation revealed that hackers reused the same XOR key across different Donut samples throughout the year.
Some of these used different tools, like the AdaptixC2 framework or even Microsoft’s MpCopyAccelerator.exe. They also used anti-analysis methods, which suggests a “codebase continuity rather than a short-lived ‘smash-and-grab’ campaign.”
“While the XOR key may be relatively unique, further evidence would be required to conclude that these samples are linked to the same threat actor,” the blog post reads.
The way the hackers set up their tech was also quite calculated. Although everything remained within the main domain, researchers found that the malware distribution was handled via Cloudflare and the C2 server was hosted on Alibaba Cloud, probably to “add some friction to disruption and takedown opportunities” and prevent security teams from shutting them down.
Researchers also identified links to other domains that pretended to be big security firms, including update-crowdstrike.com and update-sentinelone.com.
Sophos X-Ops pointed out that while the fake Claude site was “noticeably simplistic,” the way it hides malware inside trusted software makes it a serious threat. The best advice for staying safe is to only download AI software from official sources and to be very suspicious of ‘sponsored’ search results.
