Fake Claude AI Installer Delivers PlugX RAT via DLL Sideloading

A phishing campaign is targeting Windows users with fake Claude AI installers that deploy the PlugX remote access trojan. The attackers set up convincing replica websites mimicking Anthropic's official domain and are actively distributing malware through email campaigns.

Security researchers at Malwarebytes discovered the campaign, which offers a fake "Claude Pro" desktop application for Windows. The download file, Claude-Pro-windows-x64.zip, contains an MSI installer that deploys PlugX using DLL sideloading—a technique that abuses legitimate signed executables to load malicious code.

Attack Chain

The infection begins with phishing emails directing victims to a counterfeit website that closely resembles Anthropic's official Claude interface. The site promotes a desktop application that doesn't actually exist—Claude is a web-based service with no official Windows installer.

When a victim runs the MSI installer, it creates a directory at C:\Program Files (x86)\Anthropic\Claude\Cluade\—the deliberate misspelling "Cluade" provides a subtle indicator of compromise for defenders. The installer drops a desktop shortcut named "Claude AI.lnk" that executes a VBScript when clicked.

The VBScript copies three files to the Windows Startup folder for persistence:

• NOVUpdate.exe - A legitimate G DATA antivirus updater, digitally signed
• avk.dll - The malicious PlugX DLL
• NOVUpdate.exe.dat - Encrypted PlugX payload

When Windows loads the legitimate NOVUpdate.exe at startup, it inadvertently loads the malicious avk.dll due to DLL search order hijacking. The DLL decrypts the payload and establishes command-and-control communication.

Rapid C2 Communication

According to Hackread's analysis, the malware establishes its first C2 connection within 22 seconds of installation. It communicates with an Alibaba Cloud server at 8.217.190.58:443 and modifies TCP/IP registry settings to maintain persistent access.

The campaign infrastructure shows evidence of professional operation. MX records indicate the attackers are rotating email sending infrastructure, switching from Kingmailer (observed March 28, 2026) to CampaignLark (observed from April 5, 2026).

PlugX Attribution

PlugX has a long history with Chinese state-sponsored espionage groups. The malware family has been tracked since 2008 and is associated with threat actors like APT10, APT41, and Mustang Panda. We've previously covered Mustang Panda's TONESHELL backdoor which uses similar persistence techniques.

That said, PlugX source code has circulated in underground forums for years, meaning the malware is no longer exclusive to nation-state actors. Attribution based solely on malware family is insufficient. The Alibaba Cloud infrastructure and AI-themed lure could indicate various threat actors.

Indicators of Compromise

Defenders should look for:

• Directory creation at C:\Program Files (x86)\Anthropic\Claude\Cluade\ (note the typo)
• Files named NOVUpdate.exe, avk.dll, and NOVUpdate.exe.dat in Windows Startup folder
• Network connections to 8.217.190.58:443
• Unexpected modifications to TCP/IP registry keys
• Desktop shortcuts for "Claude AI" applications

Why AI-Themed Lures Work

This campaign reflects a broader trend of attackers exploiting interest in generative AI tools. We've seen similar tactics with fake Ledger Live apps stealing cryptocurrency and malicious browser extensions targeting AI platforms. Users eager to access popular AI services will often download unofficial tools without verifying authenticity.

Organizations should remind employees that Claude is a web-based service accessible at claude.ai—there is no official desktop application to download. Any email or website offering a "Claude Pro installer" or similar should be treated as malicious. For more on recognizing these attacks, see our guide on phishing email examples.