'Threat actors are clearly adapting to the widespread interest in popular AI tools': AI fans beware, hackers create a fake Claude site to spread backdoor malware

News
By published

Sophos flags fake Claude website carrying malware

Trojan
(Image credit: wk1003mike / Shutterstock)
  • A spoofed site (claude-pro[.]com) delivers poisoned installers that sideload DonutLoader and the Beagle backdoor
  • The operation mimics legitimate Claude software, likely tied to PlugX operators using DLL sideloading
  • Researchers warn of malicious ads and SEO poisoning, urging users to verify links before downloading

If you’re looking to download the Claude client on Windows, be careful, because there are fake and malicious versions out there looking to exploit interest in new AI models.

Security researchers from Sophos have flagged how one such alleged Claude Pro offering led them to a website “claude-pro[.]com”. The site itself was built to look identical to the legitimate claude.ai official website, but the researchers determined it was fake rather quickly, as none of the links or buttons on the site, aside from the download one, worked - all redirecting back to the homepage.

Those who didn’t spot the scam, and clicked the download button, would end up with a working version of Claude - however, one which had been poisoned to also deliver an updater, and a DLL file. In classic DLL sideloading fashion, the updater runs the malicious DLL which, in turn, deploys a loader malware called DonutLoader.

Latest Videos From

Dropping Beagle

This tool, in turn, fetched a “relatively simple backdoor” called Beagle, capable of running commands, uploading and downloading files, creating directories, uninstalling agents, and more.

Sophos could not attribute this campaign to any particular threat actor, but they did say that it was most likely operated by the same people who are running PlugX.

PlugX is a remote access trojan (RAT) usually used by Chinese state-linked threat groups to spy on victims, steal data, and maintain persistent access to compromised systems. The malware is described as being highly adaptable and modular, allowing attackers to execute commands, capture screenshots, log keystrokes, and move laterally across networks. It has been active for more than a decade and is one of the longer-running RATs out there.

The attackers most likely planned to run malicious ads and SEO poisoning to reach their targets, so make sure to double-check the links in your search engine before visiting any websites.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.