Claude, the AI tool developed by Anthropic, has seen an impressive surge in popularity, attracting nearly 290 million web visits each month. This rapid growth, however, has also made it a prime target for cybercriminals. Recently, a fake website was discovered that impersonates Claude, aiming to distribute a trojanized installer to unsuspecting users.
The counterfeit site cleverly mimics the official Claude download page, enticing visitors with a “Pro” version of the software. Users who download the file named Claude-Pro-windows-x64.zip may find that the application installs and operates as expected. However, unbeknownst to them, the installation process simultaneously deploys a PlugX malware chain, granting attackers remote access to their systems.
A deep dive into the campaign
The fraudulent site presents itself as a legitimate download portal, complete with a file that appears innocuous. Passive DNS records reveal that the domain is equipped with mail-sending capabilities, having pointed to two commercial bulk-email platforms, Kingmailer and CampaignLark. This indicates that the operators are actively maintaining and rotating their email infrastructure to enhance their reach.
Once downloaded, the ZIP file contains an MSI installer that mimics a legitimate installation path: C:Program Files (x86)AnthropicClaudeCluade. The misspelling of “Cluade” serves as a subtle yet telling red flag. The installer creates a desktop shortcut labeled Claude AI.lnk, which, when clicked, launches a VBScript dropper. This script locates the genuine claude.exe file and runs it in the foreground while executing malicious activities in the background.
What happens behind the curtain
While the legitimate application runs, the VBScript stealthily copies three files into the Windows Startup folder, ensuring that the malware persists even after a reboot. These files include an executable named NOVUpdate.exe, a DLL called avk.dll, and an encrypted data file NOVUpdate.exe.dat. The script then executes NOVUpdate.exe in a hidden window, effectively masking its operations from the user.
This method exemplifies a DLL sideloading attack, a technique recognized by MITRE as T1574.002. The NOVUpdate.exe file is a legitimately signed G DATA antivirus updater, but the attackers have substituted the accompanying library with a malicious version. This tactic complicates detection efforts, as the parent executable may appear benign to security tools.
Sandbox telemetry: C2 callback within seconds
Behavioral analysis in a controlled environment confirmed the execution chain’s key components. Within just 22 seconds of execution, NOVUpdate.exe established its first outbound connection to an IP address associated with Alibaba Cloud. This rapid callback is indicative of the attackers’ intent to maintain control over the compromised system.
Furthermore, the sandbox environment recorded modifications to critical registry keys, indicating further attempts to manipulate the system’s network configuration.
Cleaning up after itself
The dropper script employs anti-forensic measures to evade detection. After deploying the payload, it creates a batch file that deletes both the original VBScript and itself after a brief delay. This ensures that no traces of the dropper remain on the disk, leaving only the sideloading files and the active NOVUpdate.exe process.
A known playbook with a fresh lure
This sideloading technique, which exploits G DATA’s avk.dll alongside a legitimate executable, has been documented in previous campaigns. The operators behind this latest effort have adeptly combined a proven method with a timely social engineering lure, capitalizing on the growing interest in AI tools to deceive users into executing a trojanized installer.
How to stay safe
Given the sophisticated nature of this campaign, users must remain vigilant. Here are steps to check for potential compromise:
- Inspect your Startup folder for
NOVUpdate.exe,avk.dll, orNOVUpdate.exe.dat. - If found, disconnect from the internet immediately.
- Look for the misspelled directory
C:Program Files (x86)AnthropicClaudeCluade. - Conduct a full system scan with a trusted anti-malware solution.
- Review firewall or proxy logs for any outbound connections to
8.217.190.58. - Change passwords for any accounts accessed from the affected machine.
To enhance your security:
- Only download Claude from the official site: claude.com/download.
- Avoid clicking on links in emails, ads, or unofficial “Pro” versions.
- Utilize an up-to-date, real-time anti-malware solution with web protection features.
Indicators of Compromise (IOCs)
Payload filenames
Claude-Pro-windows-x64.zip— distributed archiveNOVUpdate.exe— legitimate G DATA updater (sideloading host)avk.dll— malicious DLL (PlugX loader)NOVUpdate.exe.dat— encrypted payload
Network indicators
8.217.190.58:443(TCP) — C2 destination
We don’t just report on threats—we remove them.
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
