Threat Advisory: Malvertising Campaign Leverages Fake Claude AI Site to Deploy “Beagle” Backdoor via PlugX-Style Sideloading

Threat actors are currently executing a sophisticated social engineering campaign that weaponizes the popularity of Large Language Models (LLMs). By deploying a deceptive Claude AI clone, attackers are successfully delivering a multi-stage infection chain that utilizes DLL sideloading to deploy a novel Windows backdoor, now identified as “Beagle.”

This campaign is particularly dangerous because it moves beyond simple phishing, blending malvertising, trojanized installers, and the abuse of legitimate, digitally signed security software to bypass traditional endpoint detection and response (EDR) mechanisms.

The Lure: Search Engine Poisoning and Malvertising

The attack begins with users searching for AI tools and encountering malicious advertisements or poisoned search results. These links direct victims to claude-pro[.]com, a domain meticulously designed to mimic Anthropic’s legitimate interface. While the site appears functional, it serves little purpose other than to host a fraudulent download labeled as the “Claude‑Pro Relay” tool.

Sophos X-Ops has been actively investigating this fraudulent infrastructure, noting its reliance on high-traffic search terms to intercept unsuspecting users.

Technical Breakdown: The DLL Sideloading Chain

Once a victim downloads and executes the large (approx. 505 MB) Claude-Pro-windows-x64.zip archive and runs the included Claude.msi installer, the infection establishes persistence. The installer drops a triad of files into the user’s Startup folder to ensure execution upon every login:

  • NOVupdate.exe
  • NOVupdate.exe.dat
  • avk.dll

The core of this stealth mechanism is a classic PlugX-style DLL sideloading technique. The attackers utilize NOVupdate.exe, a legitimate and digitally signed updater component from G DATA antivirus. Under normal operating conditions, this executable is designed to load a specific avk.dll from its local directory. By placing a malicious version of avk.dll in the same folder, the attackers hijack the execution flow of a trusted process.

Upon execution, the malicious avk.dll performs the following operations:

  1. Reads the encrypted NOVupdate.exe.dat file.
  2. Performs an XOR decryption using a hardcoded key: Qby2RSGkGIHumNrDlbt1OEHV3y2dVh5b.
  3. Injects the resulting shellcode directly into memory via EtwpCreateEtwThread, a method specifically chosen to avoid writing suspicious files to the disk and to evade signature-based detection.

The Role of DonutLoader

The decrypted shellcode is identified as DonutLoader (Donut), a well-known open-source injector. Donut is highly effective for stealthy operations because it can transform .NET assemblies or PE files into position-independent shellcode, allowing for entirely fileless execution in memory.

The download link on the claude-pro[.]com site (Source : SOPHOS).
The deceptive download link presented to the user. (Source: SOPHOS)

The “Beagle” Backdoor: Capabilities and C2 Infrastructure

In this specific deployment, DonutLoader injects a previously undocumented backdoor dubbed “Beagle.” This implant provides the threat actors with a robust command set for post-exploitation activities, including:

  • Remote command execution and file system manipulation (upload, download, rename, and delete).
  • Directory enumeration and self-uninstallation capabilities.

Beagle communicates with its Command-and-Control (C2) server at license[.]claude-pro[.]com (IP: 8[.]217[.]190[.]58) over TCP port 443 and UDP port 8080. The communication is secured using AES encryption with a hardcoded key (beagle_default_secret_key_12345!) and a unique 16-byte IV for every packet. The protocol uses JSON-encoded heartbeats to distinguish between idle “check-ins” and active tasking.

C2 communications over UDP (Source : SOPHOS).
Observed C2 traffic over UDP. (Source: SOPHOS)

Attacker Footprints and Infrastructure Missteps

Despite their technical proficiency, the operators left several clues. Researchers discovered a Cloudflare origin certificate pointing to the IP 209[.]189[.]190[.]206, which facilitated the mapping of their backend infrastructure. Furthermore, a seemingly unrelated domain, vertextrust-advisors[.]com, was linked to the campaign, likely serving as a secondary piece of infrastructure.

Analysis of related samples on VirusTotal suggests that this is part of an evolving toolkit. While the PlugX-style loader remains a constant, the attackers frequently swap the final payload—sometimes delivering AdaptixC2 or shells that spoof security vendors like CrowdStrike or SentinelOne to further obfuscate their presence.

Defensive Recommendations

To mitigate the risk of this campaign, security professionals should implement the following controls:

  1. Strict Software Procurement: Enforce policies that prohibit the download of AI tools or productivity software from any domain other than the official vendor (e.g., anthropic.com).
  2. Endpoint Monitoring: Monitor for suspicious child processes originating from signed binaries, specifically legitimate G DATA executables loading unsigned or non-standard DLLs from user-writable paths (like %APPDATA% or %TEMP%).
  3. Network Heuristics: Look for encrypted outbound traffic to suspicious domains (e.g., license[.]claude-pro[.]com) and unusual UDP/TCP traffic patterns on ports 443 and 8080.
  4. Memory Analysis: Implement detection for in-memory execution patterns consistent with DonutLoader and other reflective injection techniques.
  5. Ad-Blocking & Filtering: Given the malvertising component, consider using DNS-level filtering or browser-based ad-blocking to reduce the surface area for search-engine-based attacks.

Related Articles

Back to top button