CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

PlugX RAT delivered via trojanized Anthropic Claude installer in fake website attack

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A malicious website impersonating Anthropic’s legitimate Claude domain distributed a trojanized installer that delivers the PlugX remote access trojan (RAT) to victims. The installer masquerades as a cracked version of the AI chatbot but instead launches a VBScript dropper that executes the legitimate Claude application while silently deploying malware. The dropper establishes persistence via a signed G DATA antivirus updater (NOVUpdate.exe) abused for DLL sideloading to execute a PlugX variant, then connects to Alibaba Cloud C&C infrastructure. Evidence of infection is obscured by cleanup scripts that delete traces of the initial compromise.

Timeline

  1. 13.04.2026 12:52 1 articles · 2h ago

    PlugX RAT deployment via trojanized Claude installer observed in February 2026

    A malicious installer posing as a cracked version of Anthropic’s Claude AI application was distributed via a fake domain. The installer uses a VBScript dropper to execute legitimate Claude while deploying PlugX malware through a signed G DATA updater (NOVUpdate.exe) for DLL sideloading. The malware establishes persistence in the Windows startup folder, connects to Alibaba Cloud C&C infrastructure, and cleans up traces using batch scripts with error suppression to avoid detection.

    Show sources
    Open in new tab

Information Snippets

  • A fake Anthropic Claude website (not the legitimate domain) hosted a ZIP archive containing a trojanized MSI installer.

    First reported: 13.04.2026 12:52
    1 source, 1 article
    Show sources

  • The installer drops a VBScript that launches the real Claude app while deploying PlugX malware in the background via a signed G DATA updater (NOVUpdate.exe) for DLL sideloading.

    First reported: 13.04.2026 12:52
    1 source, 1 article
    Show sources

  • NOVUpdate.exe creates TCP connections to Alibaba Cloud command-and-control (C&C) infrastructure within seconds of execution.

    First reported: 13.04.2026 12:52
    1 source, 1 article
    Show sources

  • Persistence is achieved by placing sideloading files in the Windows startup folder; cleanup scripts delete the VBScript and batch file to hide evidence.

    First reported: 13.04.2026 12:52
    1 source, 1 article
    Show sources

  • The VBScript uses error suppression (On Error Resume Next) to hide deployment failures from the victim.

    First reported: 13.04.2026 12:52
    1 source, 1 article
    Show sources

  • The campaign was observed in February 2026 and leveraged phishing lures such as fake meeting invitations to deliver PlugX.

    First reported: 13.04.2026 12:52
    1 source, 1 article
    Show sources

  • PlugX is a decade-old RAT historically linked to Chinese espionage groups but widely shared source code complicates attribution.

    First reported: 13.04.2026 12:52
    1 source, 1 article
    Show sources