PlugX Malware Distributed via Fake Claude Pro Phishing Sites

In the rapidly evolving landscape of artificial intelligence, the promise of productivity has become a primary driver for professional software adoption. Unfortunately, this surge in demand for AI-powered assistance has created a fertile ground for threat actors. As of April 2026, security researchers have uncovered a sophisticated phishing campaign that weaponizes the desire for advanced AI tools, specifically targeting users seeking a “Pro” desktop version of Anthropic’s Claude. By masquerading as legitimate software distributors, these attackers are successfully deploying PlugX malware, a formidable remote access trojan (RAT) that leverages the stealthy technique of DLL sideloading to compromise host systems.

The Anatomy of a Modern Lure: Weaponizing AI Popularity

The campaign operates on a foundation of high-fidelity social engineering. Unlike primitive phishing scams that rely on obvious typos or malicious links, this operation mimics the professional ecosystem of a legitimate tech vendor. The attackers have constructed domains that visually mirror Anthropic’s official presence, specifically designed to trap professionals searching for desktop-based productivity enhancements. Given that Claude now serves hundreds of millions of users monthly, it has become a high-value target for threat actors looking to exploit brand trust.

The malicious payload is typically delivered via a ZIP archive titled Claude-Pro-windows-x64.zip. This package is meticulously crafted to bypass initial scrutiny by installing a functional, albeit unauthorized, instance of a Claude-like interface. This dual-purpose deployment ensures that the user is unaware of the infection, as the software behaves exactly as expected in the foreground while the PlugX malware chain executes silently in the background.

Active Infrastructure and Evasion Tactics

One of the most concerning aspects of this campaign is the sophisticated infrastructure supporting the phishing domains. Passive DNS analysis indicates that the attackers utilize high-availability, rotating bulk-email providers. By switching between services like Kingmailer and CampaignLark, the threat actors effectively evade spam filtering mechanisms and reputation-based blocking lists. This agility allows them to maintain a constant stream of phishing emails directed at professional targets, ensuring the campaign remains active and difficult for traditional email security gateways to neutralize.

Technical Breakdown: DLL Sideloading via Signed Binaries

At the core of this operation is PlugX malware, a tool that has been utilized by espionage-focused groups since approximately 2008. The specific implementation observed in this April 2026 campaign is a masterclass in operational security (OPSEC) through abuse of legitimate software components.

The Sideloading Triad

The malicious archive contains three primary components that form a textbook sideloading triad:

• NOVUpdate.exe: A legitimately signed executable, specifically a G DATA antivirus updater. Because it carries a valid digital signature, endpoint detection and response (EDR) solutions often view it as benign, allowing it to initiate execution without triggering immediate alerts.
• avk.dll: A malicious library file that acts as the PlugX loader. When the legitimate NOVUpdate.exe is launched, it follows standard Windows behavior by searching for its required dependencies—including this DLL—within its local directory before looking at system paths. The attacker forces the application to load the compromised version of avk.dll instead of the intended file.
• NOVUpdate.exe.dat: An XOR-encrypted payload file containing the core PlugX RAT functionality.

By forcing the signed updater to load a malicious DLL, the attackers hijack the process’s execution flow. The avk.dll then reads, decrypts, and executes the contents of the .dat file in memory. Because the initial process is trusted and signed, the subsequent malicious activity—such as establishing communication with command-and-control (C2) servers—is often obfuscated, slipping past signature-based security tools that focus primarily on the parent executable.

The Persistent Threat of PlugX

The choice of PlugX malware as the ultimate payload signifies the serious intent behind this campaign. PlugX is not a simple data stealer; it is a full-featured Remote Access Trojan designed for long-term presence and data exfiltration. Its capabilities are extensive and devastatingly effective once a foothold is established:

1. Remote Command Execution: Attackers can interact with the target machine via a remote cmd.exe shell.
2. Persistence Mechanisms: The malware ensures it survives system reboots by modifying Windows registry keys or deploying malicious shortcuts in startup folders.
3. Data Exfiltration and Monitoring: PlugX includes modules for keystroke logging, webcam control, and arbitrary file modification or theft.
4. Network Communication: The malware utilizes complex C2 protocols designed to blend in with legitimate traffic, often using rare external endpoints that evade basic anomaly detection.

The specific campaign uncovered in April 2026 demonstrates an evolution in how this legacy threat is delivered. By leveraging the high-speed growth of AI tools, attackers are lowering the barrier to entry for widespread infection, ensuring that even moderately tech-savvy professionals may be tricked by the promise of an “official” Pro version of their preferred AI assistant.

Mitigation and Defensive Strategies

Defending against these types of attacks requires a move away from reliance on static, signature-based detections. As this campaign proves, when attackers use validly signed binaries to execute their code, traditional alerts often fail.

Proactive Verification

Organizations and individuals must verify the origin of all software. In the context of AI tools, this means strictly adhering to official download channels. Anthropic’s official site is the only authoritative source for Claude software. Any email, advertisement, or search result promising a “Pro” or “Desktop” version from a different domain or a third-party platform should be treated with extreme prejudice.

Technical Indicators and Remediation

Security teams should implement behavioral monitoring focused on the following Indicators of Compromise (IOCs):

• Process Monitoring: Watch for the execution of NOVUpdate.exe or similar G DATA-related files launched from unconventional directories (such as temp folders or user-specified paths).
• File System Checks: Search for the presence of the files avk.dll, NOVUpdate.exe, and NOVUpdate.exe.dat in unauthorized locations.
• Network Traffic Analysis: Monitor for outbound connections to suspicious IP addresses—such as the observed 8.217.190.58—even if those connections originate from processes that appear to be legitimate system tools.
• Directory Integrity: Be wary of misspelled directories that attempt to mimic legitimate software installation paths, such as the observed C:\Program Files (x86)\Anthropic\Claude\Cluade\.

Conclusion: The “Ninja” Approach to Security

The weaponization of AI productivity tools is a logical progression for threat actors. As the professional world races to integrate AI, the window of opportunity for social engineering campaigns will only widen. The “Claude Pro” phishing campaign is a stark reminder that even the most advanced AI tools can be weaponized if the delivery mechanism is sufficiently convincing.

To defend against PlugX malware and similar threats, security professionals must adopt a “zero-trust” stance toward software installations. By focusing on behavioral analysis, enforcing strict application control, and educating users on the dangers of SEO-poisoned search results and unverified software sources, organizations can ensure that their pursuit of AI innovation does not inadvertently open their networks to long-term compromise. In the digital shadows, where attackers hide behind signed binaries and trusted names, constant vigilance is the only true defense.