Fake Claude PlugX phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A February phishing campaign used a fake Claude website and fake meeting invitations to deliver PlugX malware to recipients, turning a popular AI brand into a malware lure. The operation mattered because the trojanized installer hid the payload behind a normal-looking app setup and used DLL sideloading to launch a remote access trojan. The infection chain also tried to reduce visibility by running the real app in the foreground while installing malware in the background.
Related Happenings
Mistic backdoor deployment via ClickFix and DLL side-loading
Malware Activity
H score22
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...
Mistic backdoor deployment via ClickFix and DLL side-loading
Malware ActivityAbout this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware Activity
H score29
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
**Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware ActivityAbout this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Fake Claude Code installation-page infostealer campaign targeting developers
Campaign
H score33
First: 11.05.2026 17:00
Last: 11.05.2026 17:00
Sources 1
About this happening:
A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
Fake Claude Code installation-page infostealer campaign targeting developers
CampaignAbout this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
JDownloader website hit by network compromise
Incident
H score12
First: 09.05.2026 22:27
Last: 09.05.2026 22:27
Sources 1
About this happening:
The **JDownloader website** suffered a **supply-chain compromise** that replaced official **Windows** and **Linux** installer links with malicious payloads, putting users who down...
JDownloader website hit by network compromise
IncidentAbout this happening: The **JDownloader website** suffered a **supply-chain compromise** that replaced official **Windows** and **Linux** installer links with malicious payloads, putting users who down...
Timeline
-
07.05.2026 13:02 1 articles · 2mo ago
Fake Claude AI site delivers Beagle backdoor
Technical Analysis UpdateA fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.
Show sources
- Fake Claude AI website delivers new 'Beagle' Windows malware — www.bleepingcomputer.com — 07.05.2026 13:02
-
13.04.2026 12:52 1 articles · 2mo ago
Fake Claude website delivers PlugX via trojanized installer
Initial DisclosureA site posing as a legitimate Anthropic Claude domain used a ZIP archive and MSI installer to install the real Claude application while a VBScript dropper deployed PlugX in the background. The chain abused a signed G DATA antivirus updater named NOVUpdate.exe for DLL sideloading, dropped persistence files in the startup folder, deleted parts of the script to reduce traces, and made NOVUpdate.exe connect within seconds to command-and-control infrastructure on Alibaba Cloud. The campaign was seen in February and used fake meeting invitations to lure recipients into running the trojanized installer.
Show sources
- Fake Claude Website Distributes PlugX RAT — www.securityweek.com — 13.04.2026 12:52