Detailed Analysis
Threat actors have constructed a fraudulent website impersonating Anthropic's Claude AI platform to distribute the PlugX remote access trojan (RAT), exploiting the tool's massive popularity — approximately 290 million monthly visits — to lure unsuspecting users into downloading a trojanized MSI installer. The malicious site offers a file named **Claude-Pro-windows-x64.zip**, which deploys a sophisticated multi-stage infection chain. Upon execution, the installer drops files into a deliberately misspelled directory — **C:\Program Files (x86)\Anthropic\Claude\Cluade\\** — and uses the legitimate Squirrel update framework to confer an air of authenticity. A VBScript dropper (Claude.vbs) then launches the real Claude application visibly, so the victim experiences no disruption, while simultaneously sideloading a malicious DLL in the background. Three files are quietly copied to the Windows Startup folder for persistence: **NOVUpdate.exe**, a legitimately signed G DATA antivirus updater; **avk.dll**, a trojanized DLL acting as a PlugX loader; and **NOVUpdate.exe.dat**, an XOR-encrypted PlugX payload. The dropper subsequently overwrites the desktop shortcut and self-deletes, leaving virtually no trace of the initial compromise.
The core technical mechanism — DLL sideloading — is particularly dangerous because it abuses a trusted, digitally signed executable to load the malicious library, allowing the attack to bypass security tools that rely on signature validation or behavioral heuristics tied to unsigned binaries. By hijacking the G DATA antivirus updater, the attackers turn a security-adjacent process into a delivery vehicle, a deeply ironic and effective form of camouflage. Standard endpoint detection tools are frequently blind to this technique, making manual inspection of Startup folder contents and DLL load monitoring critical supplementary defenses. Indicators of compromise include the presence of **NOVUpdate.exe**, **avk.dll**, and **NOVUpdate.exe.dat** in the Startup folder, as well as the telltale "Cluade" directory misspelling. Security researchers recommend disconnecting affected systems from the internet immediately upon detection, resetting credentials, and ensuring Claude is only downloaded from the official **claude.com/download** page.
PlugX itself carries a significant threat pedigree. Active since at least 2008 and historically associated with China-linked espionage operations, the RAT provides operators with broad capabilities including data exfiltration, keylogging, lateral movement across networks, and persistent remote access. The leak of PlugX's source code in subsequent years has lowered the barrier for non-state actors to deploy it, complicating attribution. The specific sideloading triad used in this campaign — NOVUpdate.exe, avk.dll, and the encrypted .dat payload — mirrors a technique documented in a February 2026 Lab52 report involving PlugX distributed via fake meeting invites, suggesting either the same threat actor or a copycat group that has adapted the method to exploit AI-themed lures.
The broader significance of this campaign lies in how it reflects a calculated pivot by malware distributors toward artificial intelligence branding as social engineering bait. As tools like Claude become mainstream productivity software sought by millions of users across enterprise and consumer contexts, they present high-value impersonation targets — particularly for users unaware that Claude operates as a web application rather than a downloadable desktop executable. This attack exploits precisely that ambiguity, making the fake installer appear plausible to anyone who simply searches for "Claude download." The trend mirrors earlier waves of malware distributed through fake installers for VPNs, video conferencing tools, and productivity software, now updated for the AI era. Organizations and individuals should treat any third-party AI software download with heightened scrutiny and enforce verification against official vendor sources as a baseline security control.
Read original article →