A convincing fake website impersonating Anthropic’s Claude AI has been caught distributing a previously unknown Windows backdoor. Cybersecurity researchers have named the threat Beagle malware, and it arrives disguised as a legitimate tool aimed squarely at developers.
A Fake Site Built to Fool Developers
The site in question sits at the domain claude-pro[.]com. It mimics the look of Anthropic’s real Claude website, borrowing similar colors and fonts. The pitch is aimed at a specific audience: developers using Claude Code. The site advertises something called “Claude-Pro Relay,” describing it as a high-performance relay service built for Claude Code users.
The illusion is thin once you look closely. Every link on the fake site redirects back to the front page. There is nothing to click except one large download button.
That button delivers a 505MB ZIP archive named Claude-Pro-windows-x64.zip. Inside sits an MSI installer. From that point, the infection begins.
How the Beagle Malware Gets In
The installer is not obviously malicious. It actually installs a working copy of Claude, which helps keep the victim unsuspecting. But while Claude opens on screen, something else runs quietly in the background.
A VBScript dropper places three files into the Windows Startup folder: NOVUpdate.exe, avk.dll, and an encrypted data file called NOVUpdate.exe.dat. The executable is a legitimately signed updater from G DATA, a real security software company. Attackers exploit this by swapping in a malicious version of avk.dll alongside it.
This technique is called DLL sideloading. When the signed G DATA binary runs, it loads the malicious DLL instead of the genuine one. Because a legitimate, trusted executable is doing the loading, security tools are less likely to flag it. The malicious DLL then decrypts and executes the payload hidden inside the .dat file.
That payload is DonutLoader, an open-source in-memory code injector. DonutLoader fetches the final piece: the Beagle malware backdoor, loaded directly into system memory to avoid leaving files on disk that antivirus software might catch.
What Beagle Malware Does
Beagle malware is a backdoor, meaning it gives the attacker a persistent connection into the infected machine. Researchers describe it as relatively simple in terms of its command set, but functional. It does not need to be complex to be dangerous.
Once active, Beagle communicates with a command-and-control server at license[.]claude-pro[.]com. It uses TCP over port 443 and UDP over port 8080, both of which are common ports that firewalls regularly leave open. A hardcoded AES encryption key protects the communication, making traffic harder to inspect. The server itself sits on Alibaba Cloud infrastructure.
Researchers found additional Beagle malware samples submitted to the malware analysis platform VirusTotal between February and April 2026. These samples used the same decryption key but arrived through entirely different attack chains. Some impersonated update tools from well-known security vendors including CrowdStrike, SentinelOne, and Trellix. Others used a malicious PDF as bait, or hijacked Microsoft Defender binaries as the delivery vehicle.
This is not a one-off campaign built around a single lure. The operators are actively testing and rotating their methods.
The Bigger Pattern Behind This Attack
The DLL sideloading approach here is not new. The specific combination of a signed G DATA executable, a malicious avk.dll, and an encrypted payload file was documented earlier in 2026 in connection with PlugX, a remote access tool historically tied to espionage groups with links to Chinese state interests. Whether the same actors are behind this campaign is not confirmed. PlugX source code has circulated in underground forums, so the pool of groups capable of using these techniques is wider than it once was.
What is clear is that the operators chose Claude as their lure deliberately. Claude has grown to nearly 290 million web visits per month. Developers in particular are actively searching for Claude Code tools and extensions. That search behavior creates a ready supply of potential victims who have no obvious reason to distrust a site that looks right and offers something plausible.
The VBScript also self-destructs after dropping its files, removing evidence of the initial infection and leaving only the sideloaded components behind.
How to Tell If You Are Affected
A few signs indicate a compromised system. Look for NOVUpdate.exe, avk.dll, or NOVUpdate.exe.dat in the Windows Startup folder. Check for the directory path C:\Program Files (x86)\Anthropic\Claude\Cluade\ — the misspelling of Claude as “Cluade” is a deliberate design choice by the attackers to mirror a legitimate path while staying distinct. Also check firewall or proxy logs for outbound connections to the IP address 8.217.190.58.
If any of these are present, disconnect from the internet and run a full antivirus scan immediately.
Final Thoughts
Beagle malware is a new name, but the playbook behind it is familiar. Attackers pick a popular tool, build a convincing fake download page, and wait. The sophistication here lies not in the malware itself but in the delivery: a working app, a signed binary, memory-only execution, and self-deleting scripts. Together, these layers make detection genuinely difficult for everyday users.
The only reliable defense is downloading software exclusively from official sources. For Claude, that means claude.ai or claude.com. No relay tool, no “pro” version, and no third-party installer should be trusted, regardless of how convincing the site looks.
