Threat Actors Use Fake Claude Site to Deliver PlugX

A deceptive website impersonating Anthropic's Claude AI offers a trojanized installer named Claude-Pro-windows-x64.zip that delivers the China-linked remote access trojan PlugX. The MSI installs files into a deliberately spoofed path C:\Program Files (x86)\Anthropic\Claude\Cluade\, uses the Squirrel update framework to appear legitimate, and implements a VBScript dropper in SquirrelTemp that launches the real claude.exe in the foreground while sideloading a malicious DLL to run the PlugX payload. The dropper then overwrites the desktop shortcut Claude AI.lnk and self-deletes, leaving users interacting with the genuine app as the RAT operates silently in the background.

The campaign leverages classic but effective techniques: trojanized installers, DLL sideloading, and cleanup behavior that frustrates forensic recovery. Passive DNS and MX records show active mail-sending infrastructure using Kingmailer and CampaignLark, with rotation between providers that implies an ongoing, managed distribution effort rather than opportunistic abuse. The attacker-controlled MSI replicates application layout and references Squirrel, the update framework used by many Electron apps, increasing the installer s perceived legitimacy.

Indicators and infection flow - Claude-Pro-windows-x64.zip delivered from the fake domain

• •MSI that writes to C:\Program Files (x86)\Anthropic\Claude\Cluade\ (note the misspelling)
• •Desktop shortcut Claude AI.lnk pointing to a VBScript in SquirrelTemp
• •VBScript dropper launching claude.exe in foreground while loading a malicious DLL
• •Post-execution shortcut replaced to point at claude.exe and dropper self-deletes

Why this matters This campaign exploits brand trust in consumer-facing AI tools to scale social-engineering attacks. By launching the legitimate claude.exe in view of the user, the operators dramatically lower suspicion while maintaining persistent remote access through PlugX, a capability that supports data exfiltration, lateral movement, and long-term espionage. The use of DLL sideloading preserves application functionality, complicating simple behavioral detections that rely on visible application failures.

Practical detection and mitigation - Enforce strict download policies: block executable installers from non-official domains and restrict use of archive extraction tools for end users

• •Validate digital signatures on installers and require distributed hashes from Anthropic when possible
• •Monitor SquirrelTemp and desktop shortcut creation events for Claude AI.lnk or other unexpected links
• •Implement host-based controls that detect DLL sideloading patterns and anomalous module loads into claude.exe
• •Network egress monitoring and domain reputation controls to detect connections to attacker C2, and block mail-sending infrastructure like suspicious Kingmailer and CampaignLark links when used by unknown domains
• •Use YARA signatures and EDR rules targeting the MSI layout, dropper names, and PlugX behaviors

Attackers are increasingly weaponizing popular AI brands because they lower social-engineering costs and increase click-through rates. This campaign sits alongside other PlugX activity historically linked to China-affiliated groups, including self-propagating USB variants and past law enforcement eradication efforts using the malware s self-delete capabilities. For security teams, AI brand impersonation is a growing vector to prioritize in phishing and supply-chain defenses.

Monitor for additional domains mimicking Anthropic or other AI vendors, continued rotation of mail-sending providers, and any reports of downstream exploitation of compromised hosts. Organizations should update detection rules for Squirrel-based installers and DLL sideloading patterns targeting legitimate AI desktop clients.