It seems an alarming new digital threat has emerged, preying on the trust users place in artificial intelligence tools. Picture a scenario where you’re excited to try out Anthropic’s Claude, a cutting-edge AI, but instead of landing on their official website, you stumble upon a sophisticated impostor. This isn’t just a simple mistake; it’s a meticulously crafted trap designed to trick you into downloading something far more sinister than an AI assistant. This fake website, claude-pro[.]com, looks deceptively real, albeit a bit stripped down, and promises an exclusive tool called “Claude-Pro Relay.” Unbeknownst to the user, this seemingly beneficial software is actually a Trojan horse, hiding a newly discovered backdoor known as “Beagle.”
The malicious journey begins when an unsuspecting user downloads what they believe to be the “Claude-Pro Relay” – a rather hefty ZIP archive, weighing in at around 505 MB. Once downloaded and opened, this archive doesn’t just install a new AI tool; it initiates a complex and stealthy infection process. It cleverly leverages a technique called DLL sideloading, exploiting a legitimate software component to inject its harmful payload. In this case, the attackers are abusing a signed antivirus updater binary from G DATA, a well-known security company. This means the malware is essentially piggybacking on a trusted program, making it much harder for traditional security measures to detect. The Sophos X-Ops team, who meticulously uncovered this scheme, noted that this sophisticated attack infrastructure has been brewing since at least March 2026, indicating a long-term, carefully planned operation rather than a spur-of-the-moment attack.
The downloaded ZIP archive contains an MSI installer, which is a standard Windows installation package. This installer isn’t delivering AI magic, however. Instead, it discreetly places three crucial files into your computer’s startup folder. First, there’s a legitimate G DATA antivirus updater, cunningly renamed “NOVupdate.exe.” Second, an encrypted data file, a seemingly innocuous blob of information. And finally, the star of the show, a malicious DLL named “avk.dll.” The insidious part of this attack chain is how it weaponizes trust. When the genuine G DATA updater program, “NOVupdate.exe,” starts up, it expects to load its own legitimate libraries. But because of the attacker’s clever manipulation, it inadvertently loads the malicious “avk.dll” instead. This is the essence of DLL sideloading – tricking a trusted application into executing malicious code, all while flying under the radar of security software that trusts the original application.
Once the “avk.dll” is loaded, the real mischief begins. This malicious DLL is designed to decrypt the aforementioned encrypted data file. It does this using a reversed XOR key, a simple yet effective encryption method. The result of this decryption is a piece of shellcode, a small program designed to perform a specific task. This shellcode then takes another step in the infection chain, loading something called DonutLoader. DonutLoader is an open-source, in-memory loader, meaning it can load other malicious code directly into the computer’s memory, avoiding writing it to disk where it might be easily detected. Finally, DonutLoader deploys the ultimate objective of this elaborate scheme: the “Beagle” backdoor. Initially, the researchers at Sophos suspected a variant of PlugX, a well-known and potent backdoor, given the familiar combination of a G DATA-signed binary, an “avk.dll” sideload, and an encrypted data file – all elements that had previously been linked to PlugX in a February 2026 report by Lab52. However, the discovery of the distinct “Beagle” payload led them to conclude that the threat actors might be either repurposing an established infection chain or mimicking the tactics of another, well-known cybercrime group. This suggests a level of sophistication where attackers are either adapting or borrowing successful attack methods from others.
So, what exactly can “Beagle” do once it’s on your computer? This backdoor, while not the most complex, is certainly effective enough to cause significant damage. It supports eight core commands, giving the attackers a degree of control over the compromised system. These commands include the ability to execute arbitrary shell commands, meaning they can run almost any command-line instruction on your computer. They can also transfer files, allowing them to steal your sensitive data or upload additional malware. Directory listing capabilities let them snoop around your file system, identifying valuable targets. And, chillingly, “Beagle” also includes a self-removal command, enabling the attackers to erase their tracks once they’ve achieved their objectives, making attribution and recovery even harder. To communicate with their masters, “Beagle” connects to a command-and-control (C2) server located at license[.]claude-pro[.]com, using either TCP port 443 or UDP port 8080, encrypting all its traffic with a hardcoded AES key to avoid detection. This encrypted communication channel further complicates efforts to monitor or block the backdoor’s activities.
The Sophos team’s investigation didn’t stop there. They scoured VirusTotal, a platform for analyzing suspicious files, and found more samples that shared the same unique XOR key used by “Beagle,” dating back to February 2026. This indicates that this specific group or method has been active for some time. Interestingly, a variant in March showed a shift in tactics, swapping out the “Beagle” backdoor for shellcode linked to AdaptixC2. AdaptixC2 is an open-source red-teaming framework that Sophos has previously observed being leveraged in ransomware attacks, suggesting a potential escalation in the threat actors’ capabilities or intentions. Furthermore, other related samples were found to use deceptive domains disguised as updates for other popular security software like Trellix, CrowdStrike, and SentinelOne. This tactic of mimicking various trusted entities underscores the attackers’ broad approach to ensnaring victims. The campaign’s operational strategy also caught the researchers’ attention. They observed that the malware was distributed through Cloudflare, a widely used content delivery network that can mask the true origin of threats, while the C2 infrastructure was hosted on Alibaba Cloud. This deliberate separation of distribution and C2 hosting, the researchers noted, isn’t just a random choice. It’s a strategic move to complicate takedown efforts by security researchers and law enforcement. This approach suggests a focus on operational continuity, indicating that this isn’t a fleeting, “one-and-done” campaign, but rather a persistent and evolving threat orchestrated by a resilient and cunning adversary.