Fake Claude AI site spreads Beagle backdoor via DLL sideloading
Updated
Updated · HackRead · May 7
Fake Claude AI site spreads Beagle backdoor via DLL sideloading
7 articles · Updated · HackRead · May 7
Sophos X-Ops said the campaign used claude-pro.com, a fake Claude-Pro Relay download and a signed G DATA file to load malicious avk.dll from victims' startup folders.
The newly identified malware can run commands, transfer files and contact license.claude-pro.com through a hardcoded key after an in-memory Donut loader executes.
Researchers traced activity from February to April 2026, with infrastructure split between Cloudflare and Alibaba Cloud and related spoofed domains mimicking CrowdStrike and SentinelOne.
With hackers weaponizing sponsored ads, can we still trust the top search result when downloading new software?
As hackers exploit the AI boom, are they building a shared arsenal for a new wave of cyberattacks?
Fake Claude AI Site Infects AI Developers with Beagle Backdoor: Over 3 Months of Sophisticated Malvertising and DLL Sideloading Attacks Uncovered
Overview
A newly uncovered cyber campaign is actively targeting AI enthusiasts, especially developers and technical users, by using a fake Claude AI website called claude-pro[.]com. This deceptive site lures individuals seeking AI tools and tricks them into downloading the Beagle backdoor, a new Windows malware. The campaign, which has been running since at least February 2026 and was discovered in May 2026, uses social engineering by closely mimicking the real Claude AI platform. The Beagle backdoor poses a serious and growing risk to the AI community, highlighting the urgent need for increased vigilance and security awareness.