Find notable cyber news and cases, enriched with sources, timelines, and signals.

Fake Claude PlugX phishing campaign

Campaign
First reported
Last updated
Happening score
H score 34
2 unique sources, 2 articles

Summary

Hide ▲

A February phishing campaign used a fake Claude website and fake meeting invitations to deliver PlugX malware to recipients, turning a popular AI brand into a malware lure. The operation mattered because the trojanized installer hid the payload behind a normal-looking app setup and used DLL sideloading to launch a remote access trojan. The infection chain also tried to reduce visibility by running the real app in the foreground while installing malware in the background.

Related Happenings

Mistic backdoor deployment via ClickFix and DLL side-loading

Malware Activity
H score22 First: 25.06.2026 11:54 Last: 25.06.2026 11:54 Sources 1

About this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...

Major U.S. services company hit by ransomware attack linked to DragonForce

Incident
H score38 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...

Backdoor.Turn Microsoft Teams TURN relay malware activity

Malware Activity
H score29 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...

Fake Claude Code installation-page infostealer campaign targeting developers

Campaign
H score33 First: 11.05.2026 17:00 Last: 11.05.2026 17:00 Sources 1

About this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...

JDownloader website hit by network compromise

Incident
H score12 First: 09.05.2026 22:27 Last: 09.05.2026 22:27 Sources 1

About this happening: The **JDownloader website** suffered a **supply-chain compromise** that replaced official **Windows** and **Linux** installer links with malicious payloads, putting users who down...

Timeline

  1. 07.05.2026 13:02 1 articles · 2mo ago

    Fake Claude AI site delivers Beagle backdoor

    Technical Analysis Update

    A fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.

    Show sources
  2. 13.04.2026 12:52 1 articles · 2mo ago

    Fake Claude website delivers PlugX via trojanized installer

    Initial Disclosure

    A site posing as a legitimate Anthropic Claude domain used a ZIP archive and MSI installer to install the real Claude application while a VBScript dropper deployed PlugX in the background. The chain abused a signed G DATA antivirus updater named NOVUpdate.exe for DLL sideloading, dropped persistence files in the startup folder, deleted parts of the script to reduce traces, and made NOVUpdate.exe connect within seconds to command-and-control infrastructure on Alibaba Cloud. The campaign was seen in February and used fake meeting invitations to lure recipients into running the trojanized installer.

    Show sources