Full Report
A fake version for the Claude AI website offers a malicious Claude-Pro Relay download that pushes a previously undocumented backdoor for Windows named Beagle. [...]
Analysis Summary
# Tool/Technique: Beagle Backdoor
## Overview
Beagle is a recently discovered, relatively simple Windows-based backdoor. It is delivered via a sophisticated multi-stage infection chain that leverages a fake version of the Claude AI website (`claude-pro[.]com`). The threat actors masquerade the malware as "Claude-Pro Relay," a high-performance service for developers, to trick high-value targets into installing the payload.
## Technical Details
- **Type:** Malware (Backdoor)
- **Platform:** Windows (x64)
- **Capabilities:** Remote shell execution, file system manipulation, and information exfiltration.
- **First Seen:** Targeted activity spotted in February 2024; Claude AI campaign reported in May 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link] (Fake Claude AI website)
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File]
- [T1059.003 - Command and Scripting Interpreter: Windows Command Shell]
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- **[TA0005 - Defense Evasion]**
- [T1574.002 - Hijack Execution Flow: DLL Side-Loading] (Using G Data signed `NOVupdate.exe`)
- [T1027.002 - Obfuscated Files or Information: Software Packing] (DonutLoader)
- [T1620 - Reflective Code Loading] (In-memory execution via Donut)
- **[TA0011 - Command and Control]**
- [T1573.001 - Encrypted Channel: Symmetric Cryptography] (AES-encrypted C2)
- [T1105 - Ingress Tool Transfer]
## Functionality
### Core Capabilities
- **Command Execution:** Executes arbitrary system commands via a `cmd` directive.
- **File Management:** Supports `upload`, `download`, `rename`, `ls` (list), and `rm` (remove).
- **Directory Control:** Includes `mkdir` functionality for structural changes on the host.
- **Self-Termination:** Includes an `uninstall` command to remove the agent from the compromised host.
### Advanced Features
- **Stealthy Loading:** Uses **DonutLoader** to inject the Beagle payload directly into memory, bypassing traditional disk-based AV scanning.
- **Trusted Binary Abuse:** Employs DLL side-loading using a legitimate, signed G Data security updater (`NOVupdate.exe`) to load the malicious `avk.dll`.
- **Encrypted Communication:** Protects C2 traffic using a hardcoded AES key over TCP/443 or UDP/8080.
## Indicators of Compromise
- **File Hashes (SHA256):**
- *Note: Specific hashes were mentioned as available in Sophos/Malwarebytes reports; indicators include the 505MB ZIP and MSI.*
- **File Names:**
- `Claude-Pro-windows-x64.zip`
- `NOVupdate.exe` (Legitimate signed binary used for side-loading)
- `NOVupdate.exe.dat` (Encrypted payload)
- `avk.dll` (Malicious loader)
- **Network Indicators:**
- `claude-pro[.]com` (Phishing domain)
- `license[.]claude-pro[.]com` (C2 Server)
- `8.217.190[.]58` (C2 IP - Alibaba Cloud)
- **Behavioral Indicators:**
- Unexpected files appearing in the `%AppData%\Microsoft\Windows\Start Menu\Programs\Startup` folder.
- Presence of G Data security binaries on systems not running G Data products.
## Associated Threat Actors
- **Attribution:** Not formally confirmed, but researchers link the TTPs (specifically the side-loading of `avk.dll` via `NOVupdate.exe`) to operators previously associated with **PlugX** malware activity.
## Detection Methods
- **Signature-based:** Detection of the `avk.dll` file and the specific DonutLoader shellcode patterns.
- **Behavioral:** Monitoring for DLL side-loading events where a signed executable loads an unsigned/unrecognized DLL from the same directory, especially in the Startup folder.
- **System Audit:** Scanning for the specific file triplet: `NOVupdate.exe`, `NOVupdate.exe.dat`, and `avk.dll`.
## Mitigation Strategies
- **User Training:** Educate users to verify official domains (e.g., `anthropic.com` for Claude) and avoid "sponsored" search results which often lead to clones.
- **System Hardening:** Implement AppLocker or Windows Defender Application Control (WDAC) to prevent unauthorized binaries from running in user-writable directories like `AppData`.
- **Network Filtering:** Block known malicious domains and monitor for unusual outbound traffic over UDP/8080.
## Related Tools/Techniques
- **PlugX:** Shared TTPs in the loading mechanism.
- **DonutLoader:** The open-source injector used for in-memory execution.
- **Bagle (2004):** A historically similar name, but technically unrelated to this modern backdoor.
- **AdaptixC2:** Seen in related Beagle samples.