A fake Claude AI download site is distributing a malicious “Claude-Pro Relay” installer for Windows. Malwarebytes first documented the campaign in April 2026 as a fake Claude site that installs a working-looking app while deploying a PlugX malware chain in the background. BleepingComputer now reports that Sophos analyzed the same operation further and found a previously undocumented Windows backdoor called Beagle in the chain.
The reason this story matters is the attacker workflow, not only the brand being impersonated. The installer is designed to reduce suspicion: the victim gets an application that appears to launch normally, while the malware quietly places persistence files in the Windows Startup folder. That makes this closer to a fake software supply route than a simple scam page.
What to check on a Windows system
Malwarebytes reported that the fake download was served as Claude-Pro-windows-x64.zip. Its installer drops a trojanized copy of Claude and uses a VBScript stage to place NOVUpdate.exe, avk.dll, and NOVUpdate.exe.dat into the user’s Startup folder. The combination is important: NOVUpdate.exe is a signed G DATA updater used as a DLL sideloading host, avk.dll is the malicious DLL, and the .dat file carries the encrypted payload.
BleepingComputer’s newer report says Sophos traced the chain through DonutLoader and into Beagle, a backdoor with basic remote-control commands such as command execution, upload, download, directory listing, rename, and removal. It also reported command-and-control communication to license[.]claude-pro[.]com, with Malwarebytes previously observing traffic to 8.217.190[.]58 on TCP port 443.
That gives defenders a concrete triage path. If a user downloaded a “Claude Pro” Windows package from a non-official site, check the Startup folder at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup for the three NOVUpdate artifacts, look for the misspelled path C:\Program Files (x86)\AnthropicClaude\Cluade, review recent outbound connections to the reported domain or IP, and inspect whether a shortcut named Claude AI.lnk launched a VBScript from a temporary installer directory. If those artifacts exist, disconnect the host, preserve the files for analysis, and rotate credentials used from that machine after cleanup because PlugX-style remote access can expose browser sessions, developer credentials, and internal portals.
This fits a broader pattern where attackers wrap current AI interest inside familiar download behavior. Gridinsoft has covered related abuse in AI-hype malware campaigns, AI-assisted developer package abuse, and fake software download sites. The practical rule is specific: do not search for “Pro” or cracked AI installers, and for legitimate AI tools, download from the vendor domain or a verified store page rather than from ads, cloned landing pages, GitHub mirrors, or “relay” services.
A related macOS campaign later used fake Claude Code Google Ads to deliver MacSync Stealer, showing that Claude-themed lures now target both Windows and Mac users.
Related update: researchers have also seen fake GitHub and SourceForge software downloads deliver DinDoor and a Deno-based RAT. Read the Deno RAT fake downloads news.
References
- Malwarebytes, “Fake Claude site installs malware that gives attackers access to your computer,” April 10, 2026. Analysis
- BleepingComputer, “Fake Claude AI website delivers new ‘Beagle’ Windows malware,” May 7, 2026. Coverage
