Donuts and Beagles: Fake Claude site spreads backdoor
A malvertising campaign is leveraging a fake Claude AI website to distribute a malicious MSI installer. The infection chain employs DLL sideloading via a legitimate G DATA executable to execute DonutLoader, which ultimately deploys a novel backdoor dubbed 'Beagle' for remote command execution and file manipulation.
Authors: Chaitanya Ghorpade
Source:
Sophos
- domainclaude-pro[.]comFake Claude AI distribution site used in malvertising
- domaingouvvbo[.]topAdaptixC2 C2 server from a related March sample
- domainlicense[.]claude-pro[.]comBeagle backdoor C2 server
- domainupdate-crowdstrike[.]comDomain hosted on the same IP as update-trellix[.]com
- domainupdate-sentinelone[.]comDomain hosted on the same IP as update-trellix[.]com
- domainupdate-trellix[.]comDomain associated with a related April sample
- domainvertextrust-advisors[.]comDomain linked to the threat actor's hosting server
- filenameNOVupdate.exe.datEncrypted file containing the DonutLoader payload
- filenameavk.dllMalicious DLL sideloaded by the legitimate G DATA updater
- ip178[.]128[.]108[.]89Hosting server associated with Vertex Trust Advisors
- ip192[.]252[.]186[.]62IP hosting related update-* domains
- ip209[.]189[.]190[.]206Possible hosting server for the fake Claude site (Cloudflare origin)
- ip8[.]217[.]190[.]58Beagle backdoor C2 IP address
Detection / HunterGoogle
What Happened
Cybercriminals have created a fake website that looks like the legitimate Claude AI tool to trick people into downloading malware. Anyone who downloads and installs the fake 'Claude-Pro' software on a Windows computer is affected. This matters because the malware installs a hidden 'backdoor' that allows attackers to steal files, delete data, and take control of the infected computer. To stay safe, users should only download software from official websites and be cautious of sponsored links in search engine results.
Key Takeaways
- Threat actors are using a fake Claude AI website to distribute malware via malvertising and SEO poisoning.
- The attack chain utilizes DLL sideloading via a legitimate G DATA updater (NOVupdate.exe) to execute malicious code.
- The first-stage payload is DonutLoader, which subsequently loads a previously undocumented backdoor named Beagle.
- Beagle communicates with its C2 server over TCP (443) or UDP (8080) using AES encryption with a hardcoded key.
- Related samples suggest the threat actors are experimenting with different payloads, including AdaptixC2, while reusing the same XOR decryption key.
Affected Systems
- Windows
Attack Chain
The attack begins when a user downloads a malicious ZIP archive (Claude-Pro-windows-x64.zip) from a fake Claude AI website. Extracting and running the contained MSI installer drops a legitimate G DATA updater (NOVupdate.exe), a malicious DLL (avk.dll), and an encrypted payload (NOVupdate.exe.dat) into the user's startup folder. When the legitimate executable runs, it sideloads the malicious DLL, which decrypts the payload using a hardcoded XOR key and executes Donut shellcode in memory via EtwpCreateEtwThread. Finally, Donut loads the Beagle backdoor, which establishes C2 communication over TCP or UDP using AES encryption.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Sophos
Sophos provides endpoint protection signatures (e.g., ATK/DonutLdr-B, Troj/Beagldr-A) for the malicious components, and IOCs are available on their GitHub repository.
Detection Engineering Assessment
EDR Visibility: High — The attack relies on dropping files to the startup folder, DLL sideloading by a known executable, and in-memory execution via EtwpCreateEtwThread, all of which are highly visible to modern EDRs. Network Visibility: Medium — C2 traffic uses custom AES encryption over standard ports (TCP 443, UDP 8080), which may blend in with normal traffic, though the specific packet structure and hardcoded keys can be fingerprinted. Detection Difficulty: Moderate — While the initial DLL sideloading and startup folder persistence are common and detectable, the in-memory execution of Donut and the custom encrypted C2 protocol of Beagle require behavioral analysis and network traffic inspection.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- File Creation (Sysmon 11)
- Network Connections (Sysmon 3)
- Image Load (Sysmon 7)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for instances of NOVupdate.exe executing from unusual directories, particularly the user's Startup folder, followed by network connections to unknown external IPs. | Process Creation, Network Connections | Execution / Persistence | Low |
| Search for the creation of files named avk.dll or NOVupdate.exe.dat in the same directory as NOVupdate.exe, especially outside of standard G DATA installation paths. | File Creation | Defense Evasion / Persistence | Low |
| Identify processes utilizing EtwpCreateEtwThread for execution, which is commonly abused by loaders like Donut to execute shellcode in memory. | API Calls / Process Injection | Defense Evasion / Execution | Medium |
Control Gaps
- Lack of strict application control allowing execution of arbitrary MSIs from the internet
- Insufficient network egress filtering allowing custom UDP traffic on port 8080
Key Behavioral Indicators
- NOVupdate.exe running from Startup folder
- EtwpCreateEtwThread API call
- TCP/UDP traffic with 16-byte random IVs preceding AES-encrypted data
False Positive Assessment
- Low. The specific combination of the fake Claude domain, the G DATA updater sideloading a malicious avk.dll, and the Beagle C2 traffic patterns are highly indicative of this specific threat.
Recommendations
Immediate Mitigation
- Block access to claude-pro[.]com and license[.]claude-pro[.]com.
- Search endpoints for the presence of NOVupdate.exe, avk.dll, and NOVupdate.exe.dat in startup folders and remove them.
- Isolate any hosts communicating with 8[.]217[.]190[.]58.
Infrastructure Hardening
- Implement strict application control to prevent the execution of unapproved MSI installers.
- Restrict outbound UDP traffic on non-standard ports like 8080 to known good destinations.
User Protection
- Deploy EDR solutions configured to detect and block DLL sideloading attempts and in-memory shellcode execution.
- Ensure web filtering is active to block newly registered domains and known malvertising infrastructure.
Security Awareness
- Educate users on the risks of downloading software from sponsored search results or unofficial websites.
- Train employees to verify the authenticity of AI tool websites before downloading clients or extensions.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1574.002 - Hijack Execution Flow: DLL Side-Loading
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1140 - Deobfuscate/Decode Files or Information
- T1055 - Process Injection
- T1071.001 - Application Layer Protocol: Web Protocols
Additional IOCs
- Ips:
209[[.]]189[[.]]190[[.]]206- Possible hosting server for the fake Claude site (Cloudflare origin)178[[.]]128[[.]]108[[.]]89- Hosting server associated with Vertex Trust Advisors192[[.]]252[[.]]186[[.]]62- IP hosting related update-* domains
- Domains:
vertextrust-advisors[[.]]com- Domain linked to the threat actor's hosting serverupdate-trellix[[.]]com- Domain associated with a related April sampleupdate-crowdstrike[[.]]com- Domain hosted on the same IP as update-trellix[.]comupdate-sentinelone[[.]]com- Domain hosted on the same IP as update-trellix[.]com
- Other:
SGkGIHumNrDlbt1OEHV3y2dVh5bQby2R- XOR decryption key used to decrypt the DonutLoader payloadbeagle_default_secret_key_12345!- Hardcoded AES key used by the Beagle backdoor for C2 communicationClaude-Pro-windows-x64.zip- Malicious ZIP archive downloaded from the fake siteClaude.msi- MSI installer contained within the malicious ZIPNOVupdate.exe- Legitimate G DATA updater abused for DLL sideloading