A 505MB archive named "Claude-Pro-windows-x64.zip" masquerading as an installer for a Claude-Pro Relay product contains an MSI that ultimately installs a previously undocumented Windows backdoor Sophos researchers are calling "Beagle."
The fake claude-pro[.]com site and the delivery trick
Researchers at Sophos and Malwarebytes uncovered a simplistic but effective bait-and-switch hosted at "claude-pro[.]com." The site mimics the legitimate Claude AI branding — using similar colors and fonts — but many links simply redirect to the front page. For visitors who click the prominent download button, the campaign offers a single payload: the 505MB archive "Claude-Pro-windows-x64.zip," which includes an MSI installer claimed to be for a Claude-Pro Relay product.
What the installer does: NOVupdate files and DLL sideloading
Running the trojanized installer drops three files into the Windows Startup folder: NOVupdate.exe, NOVupdate.exe.dat, and avk.dll. Sophos says NOVupdate.exe is a signed updater for G Data security solutions that the attacker leverages to sideload the malicious avk.dll together with the encrypted NOVupdate.exe.dat file. The DLL's role is to decrypt and execute in memory the payload embedded in NOVupdate.exe.dat — an in-memory injector identified as DonutLoader — which then loads the final payload into memory to evade disk-based detection.
DonutLoader, Beagle, and the commands observed
Sophos reports the campaign's first-stage payload is DonutLoader. In this chain Donut fetches and deploys a "relatively simple backdoor" dubbed Beagle. The backdoor offers a constrained command set that, according to Sophos' findings, includes:
- uninstall — uninstalls agent
- cmd — executes command
- upload — uploads file
- download — downloads file
- mkdir — creates directory
- rename — renames file
- ls — lists directory content
- rm — removes directory
Sophos explicitly notes that the Beagle backdoor is distinct from the Delphi-based Beagle/Bagle worm documented in 2004.
C2 infrastructure, encryption, and related samples
Beagle communicates with command-and-control (C2) infrastructure at "license[.]claude-pro[.]com" using TCP over port 443 and/or UDP over port 8080. Exchanges are protected by a hardcoded AES key. Sophos mapped the C2 host to the IP address 8.217.190[.]58; Malwarebytes describes that address as in a range associated with the Alibaba-Cloud service.
Further samples linked to Beagle were located by Sophos in VirusTotal submissions dated between February and April of this year. Those related samples used the same XOR decryption key but reached victims through different attack chains — including trojanized Microsoft Defender binaries, AdaptixC2 shellcode with a decoy PDF, and fake update sites impersonating security vendors such as CrowdStrike, SentinelOne, and Trellix.
Attribution signals and the PlugX connection
Malwarebytes first discovered the campaign and reported that the "Pro" installer behaved as a functioning Claude copy while deploying a PlugX malware chain in the background to provide remote access. Sophos could not confidently attribute the campaign to a named actor, but the researchers point out that sideloading an AVK DLL and an encrypted file via a G Data-signed executable has in the past been linked to PlugX activity. Sophos suggests the same operators behind PlugX may be experimenting with a new in-memory payload (Beagle) deployed via DonutLoader.
What this means for security teams and end users
Security teams should treat the presence of "NOVupdate" files on endpoints as a strong indicator of compromise and should investigate any such sightings immediately, Sophos advises. Teams should also scrutinize large installer archives that arrive via search results or unverified download pages, and monitor for in-memory injectors such as DonutLoader and unexpected network connections to "license[.]claude-pro[.]com" or the IP 8.217.190[.]58.
End users are reminded to download Claude and related tools only from the official portal and to skip or hide sponsored search results that can surface fake sites. On infected hosts the campaign's design — a signed updater used to sideload a DLL that decrypts an in-memory injector which then runs the final backdoor — is explicitly intended to evade signature- and disk-based controls.
The campaign ties together a familiar pattern — fake download page, signed legitimate binary reused for DLL sideloading, in-memory loaders, and a narrow-featured backdoor — while shifting payloads and delivery methods across multiple chains. That combination, along with observed VirusTotal activity between February and April and the reuse of decryption keys, suggests operators are iterating on delivery and persistence techniques even as defenders detect the artifacts. For organizations and users, the appearance of NOVupdate files, unexpected Startup additions, or connections to the listed C2 addresses should trigger immediate inspection.
