Listen to this Post
Introduction
Cybercriminals are increasingly abusing the popularity of artificial intelligence platforms to trick unsuspecting users into downloading malware. In the latest campaign uncovered by security researchers, attackers created a fake version of Anthropic’s Claude AI website and used it to distribute a newly discovered backdoor malware called “Beagle.”
What makes this campaign especially dangerous is the level of sophistication involved. Instead of relying on simple phishing attachments, the attackers used a multi-stage infection chain involving signed antivirus software components, encrypted payloads, memory-only malware loaders, and cloud infrastructure designed to complicate takedown efforts.
The operation demonstrates how threat actors are adapting their methods to exploit public trust in AI products while combining older malware techniques with newer delivery mechanisms. Researchers from Sophos X-Ops believe the campaign may be connected to previous PlugX-style attacks, although the final malware payload differs significantly from earlier operations.
Fake Claude Website Used as Malware Delivery Platform
Researchers discovered a malicious domain named “claude-pro[.]com,” which imitates the appearance of Anthropic’s Claude AI service. The website presents users with a simplified interface designed to appear legitimate while advertising a fake application named “Claude-Pro Relay.”
Victims who download the offered package receive a massive ZIP archive of roughly 505 MB. Hidden inside the archive is an MSI installer containing the actual malware components. Sophos investigators believe the website is part of an active malvertising campaign intended to lure users searching for AI-related tools and productivity enhancements.
The infrastructure behind the campaign was reportedly established in March 2026, suggesting the attackers carefully prepared the operation before deployment. By leveraging the hype surrounding generative AI services, the threat actors significantly increase the chances of convincing users to trust the download.
DLL Sideloading Technique Abuses Signed Antivirus Software
Once the installer executes, it places three separate files into the Windows startup directory. These files include a signed G DATA antivirus updater executable renamed “NOVupdate.exe,” an encrypted data file, and a malicious DLL file named “avk.dll.”
The attack relies on DLL sideloading, a technique where a legitimate signed application unknowingly loads a malicious library instead of the expected trusted DLL. Since the executable is digitally signed by a recognized antivirus vendor, security products may initially treat the process as legitimate activity.
After execution, the malicious DLL decrypts the hidden data file using a reversed XOR key. The decrypted shellcode then launches DonutLoader, an open-source in-memory loader frequently used in advanced cyberattacks. DonutLoader subsequently injects and executes the final malware payload directly in memory, helping the attackers avoid traditional detection mechanisms.
Researchers Initially Suspected PlugX Malware
Sophos researchers initially believed the campaign was connected to PlugX malware because the infection chain closely resembled techniques previously documented in a February 2026 report by Lab52.
Several characteristics matched older PlugX operations, including:
Use of Signed G DATA Binary
The attackers reused a legitimate signed antivirus updater to maintain credibility and evade security tools.
Presence of avk.dll
The same DLL naming convention had previously appeared in PlugX-related attacks.
Encrypted Data File Structure
The campaign employed encrypted payload delivery methods nearly identical to those associated with PlugX malware families.
However, deeper analysis revealed that the final malware payload was not PlugX, but an entirely different backdoor called Beagle. This led researchers to believe that the attackers either modified an existing PlugX infection chain or intentionally copied another group’s operational techniques.
Beagle Backdoor Functionality
Beagle itself is considered a relatively lightweight backdoor, but it still provides attackers with enough functionality to maintain remote access and perform malicious operations on infected systems.
The malware supports eight core commands that allow attackers to:
Execute Remote Shell Commands
Attackers can remotely run commands on compromised machines, enabling full system manipulation.
Transfer Files
The malware supports both upload and download capabilities for exfiltration and payload deployment.
Browse Directories
Operators can inspect the victim’s file structure and search for valuable data.
Remove Itself
Beagle includes self-removal functionality to erase traces of infection when necessary.
Communication with the command-and-control server occurs over TCP port 443 or UDP port 8080. The malware encrypts network traffic using a hardcoded AES encryption key, making analysis and interception more difficult.
The primary command-and-control domain identified by researchers was “license[.]claude-pro[.]com.”
Additional Samples Suggest Broader Campaign Activity
Sophos analysts found additional malware samples uploaded to VirusTotal dating back to February 2026 that shared the same XOR encryption key used in the Beagle campaign.
One March 2026 variant reportedly replaced the Beagle payload with shellcode associated with AdaptixC2, an open-source red-teaming framework previously observed in ransomware incidents.
Other discovered domains impersonated major cybersecurity vendors, including fake update-themed domains referencing:
Trellix
Attackers attempted to imitate legitimate software update infrastructure.
CrowdStrike
The campaign abused the trust associated with well-known security vendors.
SentinelOne
Threat actors continued the pattern of impersonating cybersecurity-related brands.
These findings suggest the operators are running a broader malware distribution ecosystem rather than a single isolated campaign.
Cloudflare and Alibaba Cloud Infrastructure Increased Campaign Resilience
Researchers also noted that the attackers used Cloudflare services to distribute malware while simultaneously hosting command-and-control infrastructure on Alibaba Cloud servers.
This separation creates additional operational resilience because disabling one infrastructure component does not necessarily eliminate the rest of the operation. Security analysts believe this approach indicates long-term planning rather than a temporary disposable attack.
The infrastructure choices also complicate takedown coordination between hosting providers, cloud platforms, and cybersecurity teams attempting to disrupt the campaign.
What Undercode Say:
The Beagle campaign highlights a major evolution in modern cybercrime strategy. Threat actors are no longer simply sending malicious email attachments or fake invoices. Instead, they are constructing highly believable ecosystems that mimic trusted AI services, cybersecurity vendors, and legitimate software updates.
The timing of this campaign is particularly important. Artificial intelligence platforms are currently experiencing explosive global adoption, and attackers understand that users are actively searching for AI productivity tools. This creates a perfect environment for fake applications and malicious advertisements.
What makes the attack especially effective is the psychological trust users place in AI brands. Someone searching for Claude AI enhancements or enterprise relay tools may not immediately question a professional-looking website offering a downloadable package.
The use of signed binaries also represents a serious challenge for defenders. Many endpoint security solutions still rely heavily on reputation-based trust models. When malware is executed through a digitally signed executable belonging to a recognized antivirus vendor, the malicious activity may blend into legitimate processes.
Another important detail is the use of DonutLoader. In-memory execution frameworks are becoming increasingly common because they drastically reduce the forensic footprint left on infected systems. Traditional antivirus products often struggle against malware that never fully writes itself to disk in an unencrypted form.
The overlap with PlugX-style infrastructure is equally interesting. It may indicate one of three possibilities:
Shared Malware Development Ecosystem
Different threat actors could be sharing operational playbooks and malware loaders.
Rebranding of Existing Campaigns
An older PlugX operator may have transitioned toward newer malware payloads.
Intentional False Attribution
The attackers may be deliberately imitating PlugX techniques to confuse investigators.
The campaign’s use of Cloudflare and Alibaba Cloud also demonstrates growing operational maturity. Modern cybercriminal groups now design infrastructure with redundancy and survivability in mind. Even if researchers shut down one component, the remaining infrastructure can continue operating.
Another critical concern is the abuse of cybersecurity brand names. Users often associate companies like CrowdStrike, SentinelOne, and Trellix with safety and legitimacy. Threat actors understand this psychological bias and exploit it aggressively.
This incident also reinforces a broader industry trend: AI-related scams are becoming a dominant malware distribution method. Similar campaigns targeting ChatGPT, Gemini, Midjourney, and other popular platforms have already appeared over the past year.
Organizations should pay close attention to DLL sideloading detection, unsigned library loading behavior, abnormal startup folder modifications, and suspicious use of legitimate signed executables. Behavioral monitoring is becoming far more important than signature-based detection alone.
Regular users should also become more cautious when downloading unofficial AI tools, plugins, or “premium relay” applications from unknown websites. The promise of enhanced AI functionality is increasingly being weaponized as a malware lure.
The Beagle backdoor itself may appear simple compared to larger espionage frameworks, but simplicity can actually make malware more dangerous. Lightweight malware is easier to deploy, easier to modify, and often harder to detect because it generates less noise.
The discovery of AdaptixC2-linked samples further suggests that this infrastructure may eventually support ransomware deployment or post-exploitation operations. That dramatically increases the potential risk associated with these infections.
From a defensive standpoint, this campaign is a reminder that cybersecurity awareness training must evolve alongside technology trends. Employees are now just as likely to encounter malware through fake AI tools as they are through phishing emails.
In many ways, AI hype has become the new social engineering weapon of choice.
Fact Checker Results
✅ Researchers from Sophos X-Ops identified a fake Claude-themed website distributing malware through DLL sideloading techniques.
✅ The Beagle malware used encrypted communications and relied on a signed antivirus updater executable for execution.
❌ There is currently no confirmed public attribution linking the campaign to a known nation-state or ransomware group.
Prediction
🔮 AI-themed malware campaigns will rapidly increase throughout 2026 as attackers continue exploiting trust in generative AI platforms.
🔮 DLL sideloading combined with signed binaries will remain a preferred technique because it bypasses many traditional security defenses.
🔮 Future variants of the Beagle infrastructure may evolve into ransomware delivery systems or larger espionage-focused malware operations.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
