290 million web visits a month. That’s Claude’s traffic—Anthropic’s AI darling, pulling in users faster than ChatGPT did at launch.
But here’s the hook: scammers smell blood. They built a near-perfect clone of Claude’s site, dangling a ‘Pro’ version download. Click it, and you’re not just getting AI—you’re handing over remote access to your machine via PlugX, a RAT that’s haunted espionage ops since 2008.
Look, this isn’t some sloppy phishing page. It’s surgical. The domain apes the real deal, complete with bulk email setup via Kingmailer and CampaignLark—MX records flipping providers like pros dodging blocks.
How Does the Fake Claude Installer Fool You?
You grab Claude-Pro-windows-x64.zip. Unzip, run the MSI. It plants itself in C:\Program Files (x86)\Anthropic\Claude\Cluade\—spot the ‘Cluade’ misspelling? Dead giveaway, if you’re paying attention.
Desktop gets Claude AI.lnk, pointing to a VBScript dropper in SquirrelTemp. Real Claude uses Squirrel for updates; attackers lean into that Electron authenticity. Click, and claude.exe fires up fine—your queries hum along.
Meanwhile? Chaos.
The installer places a shortcut, Claude AI.lnk, on the Desktop pointing to Claude.vbs inside the SquirrelTemp directory. When the victim clicks the shortcut, it launches a VBScript dropper, which locates claude.exe two directories up… and runs the real application in the foreground.
That’s straight from the analysis—victims see zero red flags. Claude works. Life’s good.
But the script’s busy. It crafts a new Claude.lnk straight to the exe, kills its own trail, and—key move—copies three files to Startup: NOVUpdate.exe (signed G Data updater), avk.dll (malicious twin), and NOVUpdate.exe.dat (encrypted payload).
Then launches NOVUpdate.exe hidden. Boom—DLL sideloading, MITRE T1574.002. Signed binary loads the bad DLL from its folder. Endpoint tools yawn; it’s legit-looking G Data.
This triad? Classic PlugX signature, per Lab52’s breakdown. avk.dll cracks the .dat, unfurls the RAT. Remote access granted.
Sandbox says it all: 22 seconds to first C2 ping at 8.217.190.58:443—Alibaba Cloud, sure, but threat actors’ playground. Multiple callbacks. Even tweaks Tcpip registry for network tweaks.
And cleanup? VBScript spits a ~del.vbs.bat that self-nukes after 2 seconds. On Error Resume Next swallows hiccups—no popups. Only Startup persistals linger.
Why Claude? AI Hype Meets Easy Marks
Claude’s exploding—290 million visits isn’t hype; it’s a stat screaming ‘target rich.’ Users crave premium features, ignore warnings. Pro version? Irresistible bait.
Attackers aren’t newbies. PlugX dates to 2008 Chinese APTs—think Lotus Blossom, espionage heavy-hitters. Now? Repurposed for commodity crime, riding AI wave. My take: this foreshadows an architectural shift. As AI tools desktop-ify (Claude’s Electron app pushes that), installers become trojan horses. Expect DLL sideloading kits on dark markets tailored for VS Code extensions, Midjourney launchers—whatever’s hot.
Anthropic’s PR would spin ‘user education.’ Please. Their growth invites this; real fix is ecosystem-wide installer signing mandates, like Apple’s gates. But Windows? Wild West.
Can Antivirus Catch This PlugX Chain?
Short answer: dicey. Signed host blinds static scans. Behavioral heuristics might flag Startup drops, C2 beacons—but VBS stealth and quick execution dodge many.
Registry pokes at Tcpip? Suspicious, but not unique. Sandbox telemetry nails it post-facto; real-time? Hit or miss.
Historical parallel: PlugX evaded AV for years in tailored ops. Now commoditized, it’ll mutate—maybe mimic more updaters, layer crypters.
Users? Check hashes, paths (Cluade? Run). Tools like VirusTotal for zips. But prevention’s better: bookmarks, official links only.
This campaign’s active—MX records fresh as April 2026. Operators rotate; it’ll spread.
One-paragraph warning: if you’re on Windows, nuke any rogue Claude in weird paths. Task Manager: kill NOVUpdate.exe. Empty Startup. Full scan.
Bold prediction—this PlugX variant evolves into AI-infostealer, slurping prompts, API keys. Why? Victims are devs, pros with cloud creds. Anthropic, wake up: your desktop app’s a liability till hardened.
🧬 Related Insights
- Read more: Bitcoin Depot’s $3.6M Bitcoin Heist: Wallets Wide Open
- Read more: BoryptGrab Stealer Turns GitHub into a Malware Minefield for Windows Users
Frequently Asked Questions
What does the fake Claude site do exactly?
It serves a ZIP with a working Claude clone that secretly installs PlugX RAT via DLL sideloading, granting attackers remote control.
How to remove PlugX from fake Claude install?
Kill NOVUpdate.exe in Task Manager, delete Startup files (NOVUpdate.exe, avk.dll, .dat), scan with updated AV, check C:\Program Files (x86)\Anthropic\Claude\Cluade.
Is PlugX only targeting Claude users?
No—it’s versatile, but Claude’s 290M visits make it ideal now; watch for fakes on other AI tools.
