Beagle backdoor distributed via fake Claude site and DLL sideloading
Malware Activity
Summary
Hide ▲
Show ▼
The Beagle backdoor is now being distributed through a fake Claude website, putting Windows users at risk of infection through a DLL sideloading chain. The lure delivers a large ZIP archive that drops a signed G DATA antivirus updater, a malicious DLL, and an encrypted payload file. The payload chain loads DonutLoader before deploying Beagle, which can execute shells, transfer files, list directories, and remove itself. Related samples date back to February 2026, and the infrastructure uses license[.]claude-pro[.]com for command-and-control.
Related Happenings
SloppyLemming BurrowShell and Rust-based keylogger activity
Malware Activity
First: 03.03.2026 08:53
Last: 03.03.2026 08:53
Sources 1
About this happening:
**SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...
SloppyLemming BurrowShell and Rust-based keylogger activity
Malware ActivityAbout this happening: **SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
Campaign
First: 03.03.2026 08:53
Last: 03.03.2026 08:53
Sources 1
About this happening:
The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
CampaignAbout this happening: The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
Dohdoor backdoor activity on Windows endpoints
Malware Activity
First: 26.02.2026 17:17
Last: 26.02.2026 17:17
Sources 1
About this happening:
A new **Dohdoor** backdoor is being used to provide **DNS-over-HTTPS (DoH)** C2 and **reflective payload execution** on **Windows** endpoints, increasing stealth and post-compromi...
Dohdoor backdoor activity on Windows endpoints
Malware ActivityAbout this happening: A new **Dohdoor** backdoor is being used to provide **DNS-over-HTTPS (DoH)** C2 and **reflective payload execution** on **Windows** endpoints, increasing stealth and post-compromi...
Pkr_mtsi Windows loader delivers multiple payloads
Malware Activity
First: 07.01.2026 18:45
Last: 07.01.2026 18:45
Sources 1
About this happening:
**pkr_mtsi** is a **Windows loader** now being used to push **trojanized installers** through **malvertising** and **SEO poisoning**, increasing initial-access risk for Windows us...
Pkr_mtsi Windows loader delivers multiple payloads
Malware ActivityAbout this happening: **pkr_mtsi** is a **Windows loader** now being used to push **trojanized installers** through **malvertising** and **SEO poisoning**, increasing initial-access risk for Windows us...
BADAUDIO first-stage downloader activity
Malware Activity
First: 21.11.2025 12:42
Last: 21.11.2025 12:42
Sources 1
About this happening:
The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...
BADAUDIO first-stage downloader activity
Malware ActivityAbout this happening: The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...
Timeline
-
07.05.2026 16:15 2 articles · 20d ago
Beagle backdoor distributed via fake Claude site and DLL sideloading
Initial DisclosureThe initial delivery stage is a **malicious ZIP archive** hosted on **claude-pro[.]com** and presented as **Claude-Pro Relay**. Its MSI installer drops **NOVupdate.exe**, **avk.dll**, and an encrypted data file before the signed updater loads the malicious DLL.
Show sources
- Fake Claude AI Site Drops Beagle Backdoor on Windows Users — www.infosecurity-magazine.com — 07.05.2026 16:15
- Fake Claude AI Site Drops Beagle Backdoor on Windows Users — www.infosecurity-magazine.com — 07.05.2026 16:15