In the digital age, the allure of new technologies can frequently attract malicious entities looking to exploit unsuspecting users. This article discusses a concerning trend of counterfeit software downloads that impersonate legitimate applications, specifically targeting users seeking the Claude AI client.
- A spoofed site (claude-pro[.]com) delivers malicious installers that sideload DonutLoader and the Beagle backdoor.
- The operation mimics legitimate Claude software, likely associated with PlugX operators utilizing DLL sideloading.
- Researchers caution against malicious ads and SEO poisoning, advising users to verify links before downloading.
If you’re planning to download the Claude client for Windows, proceed with caution, as there are counterfeit and harmful versions that aim to take advantage of the growing interest in AI models.
Security researchers from Sophos have identified a bogus site that closely resembles the official Claude AI website, accessible at “claude-pro[.]com”. However, upon investigation, the researchers quickly revealed it to be fraudulent, as all site links and buttons, with the exception of the download button, merely redirected users back to the homepage.
Users who failed to recognize the deception and clicked on the download button would end up with a compromised version of the Claude client. This version not only functions as the genuine application but also silently installs a malicious updater and DLL file. In a classic DLL sideloading maneuver, the updater executes a harmful DLL that deploys a type of malware known as DonutLoader.
Latest Videos From
Dropping Beagle
Once deployed, this tool downloads a relatively straightforward backdoor known as Beagle, which can execute commands, transfer files, create directories, and uninstall agents, among other functions.
Although Sophos could not directly link this campaign to a specific threat actor, it is suspected that it may be connected to the same individuals behind PlugX.
PlugX is a remote access trojan (RAT) frequently employed by state-sponsored Chinese groups to conduct surveillance, steal data, and maintain a foothold in compromised systems. This malware is known for its adaptability and modularity, enabling attackers to run commands, capture screenshots, log keystrokes, and navigate through networks. With over a decade of activity, PlugX is one of the longest-standing RATs in the cyber ecosystem.
The attackers likely intended to spread malicious advertisements and engage in SEO manipulation to ensnare their targets. Therefore, it is crucial to thoroughly verify links from your search engine before accessing any websites.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to stay updated with our expert news, reviews, and opinions.
