Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Fake Claude PlugX phishing campaign

Campaign
First reported
Last updated
Happening score
H score 40
2 unique sources, 2 articles

Summary

Hide ▲

A February phishing campaign used a fake Claude website and fake meeting invitations to deliver PlugX malware to recipients, turning a popular AI brand into a malware lure. The operation mattered because the trojanized installer hid the payload behind a normal-looking app setup and used DLL sideloading to launch a remote access trojan. The infection chain also tried to reduce visibility by running the real app in the foreground while installing malware in the background.

Related Happenings

Fake Claude Code installation-page infostealer campaign targeting developers

Campaign
First: 11.05.2026 17:00 Last: 11.05.2026 17:00 Sources 1

About this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...

Open Happening

JDownloader website hit by network compromise

Incident
First: 09.05.2026 22:27 Last: 09.05.2026 22:27 Sources 1

About this happening: The **JDownloader website** suffered a **supply-chain compromise** that replaced official **Windows** and **Linux** installer links with malicious payloads, putting users who down...

Open Happening

Formbook phishing campaign using DLL sideloading and obfuscated JavaScript

Campaign
First: 20.04.2026 18:01 Last: 20.04.2026 18:01 Sources 1

About this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...

Open Happening

Dragon Boss Solutions LLC adware malicious update

Malware Activity
First: 16.04.2026 22:07 Last: 16.04.2026 22:07 Sources 1

About this happening: A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...

Open Happening

STX RAT trojanized CPU-Z and HWMonitor distribution

Malware Activity
First: 12.04.2026 08:54 Last: 12.04.2026 08:54 Sources 1

About this happening: A **trojanized CPU-Z and HWMonitor distribution** pushed **STX RAT** through **DLL side-loading**, exposing downloaders to **remote access** and **infostealing** risk. The payload...

Open Happening

Timeline

  1. 07.05.2026 13:02 1 articles · 20d ago

    Fake Claude AI site delivers Beagle backdoor

    Technical Analysis Update

    A fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.

    Show sources
    Open in new tab
  2. 13.04.2026 12:52 1 articles · 1mo ago

    Fake Claude website delivers PlugX via trojanized installer

    Initial Disclosure

    A site posing as a legitimate Anthropic Claude domain used a ZIP archive and MSI installer to install the real Claude application while a VBScript dropper deployed PlugX in the background. The chain abused a signed G DATA antivirus updater named NOVUpdate.exe for DLL sideloading, dropped persistence files in the startup folder, deleted parts of the script to reduce traces, and made NOVUpdate.exe connect within seconds to command-and-control infrastructure on Alibaba Cloud. The campaign was seen in February and used fake meeting invitations to lure recipients into running the trojanized installer.

    Show sources
    Open in new tab