May 08, 2026 · 11 min read

A Fake Claude AI Site Has Been Pushing 'Beagle' Malware for Months—and the Trojan Horse Was a G Data Antivirus Binary

Sophos and Malwarebytes traced a 505 MB "Claude Pro" installer to a Beagle backdoor. The installer worked because it sideloaded a malicious DLL through a real, signed G Data antivirus executable.

A laptop displaying a fake AI chat interface with shadowy code patterns leaking from the browser frame, suggesting hidden malware behind a clean download page

What Happened

On May 7, 2026, Sophos published an analysis of a previously undocumented Windows backdoor it calls Beagle. The malware is being distributed through a fake Claude AI website at claude-pro[.]com that mimics Anthropic's official portal and offers a "Claude Pro" download button.

Malwarebytes flagged the same campaign in April 2026 and Sophos extended the analysis after additional Beagle samples appeared on VirusTotal between February and April. The campaign has been live for at least three months. Anthropic does not publish a Windows desktop installer of that name.

The fake installer is a 505 MB ZIP file titled Claude-Pro-windows-x64.zip—oversized so that it falls outside the typical scan budget many endpoint products allocate to a single download. Inside is an MSI installer that drops three files into the Windows Startup folder for persistence and quietly hands control to the attacker.

The Sideload That Beats Antivirus

The interesting part of this campaign is not the lure. Fake AI tools have been a dominant phishing theme for two years. The interesting part is the sideload technique that gets Beagle past defenses.

The MSI deploys three files to C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup:

NOVupdate.exe — a legitimate, code signed binary belonging to G Data antivirus
avk.dll — a malicious DLL designed to be loaded by NOVupdate.exe
NOVupdate.exe.dat — an encrypted DonutLoader payload

When Windows runs NOVupdate.exe at startup, the binary looks for avk.dll next to it. The legitimate G Data file expects to load a real DLL with that name. The malicious DLL takes its place and executes inside a process signed by a recognized security vendor. From the perspective of Windows, the chain looks identical to a real G Data update.

The malicious DLL then decrypts NOVupdate.exe.dat using DonutLoader and injects the Beagle backdoor directly into memory. Nothing further touches disk. Endpoint products that watch only for unsigned executables loading from user directories see nothing unusual. Products that compare hashes against known threats see G Data, not malware.

DLL sideloading is not new. Abusing a vendor's own signed binary to do it is a 2026 pattern. Sophos noted that Beagle samples from earlier in the campaign also impersonated update binaries from CrowdStrike, SentinelOne, Trellix, and Microsoft Defender. The G Data version is the most recent rotation.

What Beagle Does Once It Lands

Beagle is a compact remote access backdoor with eight supported commands. It is not flashy. It is built for quiet long term access on a workstation that already trusts AI productivity tools.

Execute arbitrary command line instructions
Upload files from the victim machine to the operator
Download additional payloads from the operator to the victim
Create or remove directories
List directory contents
Rename files
Uninstall itself if instructed

Command and control runs through license[.]claude-pro[.]com—the same domain family as the lure—and a backup C2 IP at 8.217.190[.]58, hosted on Alibaba Cloud. Beagle reaches the C2 over TCP port 443 and UDP port 8080. The choice of 443 keeps the traffic visually identical to ordinary HTTPS browsing.

A backdoor with these capabilities is the early access stage of an intrusion. Once an operator has a shell on a machine, the second stage tooling—credential stealers, ransomware staging, lateral movement frameworks—is whatever the customer wants to push down the wire next.

Why AI Tool Lures Are the Top Phishing Theme of 2026

Beagle is the third major piece of malware in six weeks to use a fake AI tool as its primary lure. The pattern works because AI usage at most companies has outrun the IT department's ability to audit it.

Knowledge workers expect to install AI tools themselves. They ignore IT approval. They assume that any tool branded "Claude" or "ChatGPT" or "Copilot" is safe by default. They click "Download for Windows" without checking the URL. The same employees who would never install a random screensaver from a 2007 web search will install a Claude desktop client because they believe the experience should mirror Slack or Zoom.

It is also the same pattern that drove last week's npm worm hiding inside Claude Code settings and the wave of fake VS Code update prompts seen earlier this spring. AI adjacent developer tools are now the most reliable malware delivery channel for any operator targeting English speaking knowledge workers.

Indicators of Compromise

If any of the following appear on a Windows machine, treat it as compromised and isolate it from the network before doing anything else:

Files named NOVupdate.exe, NOVupdate.exe.dat, or avk.dll in the user Startup folder, particularly on machines that do not have G Data installed
Outbound connections to license[.]claude-pro[.]com
Outbound connections to the IP 8.217.190[.]58
Browser history showing visits to claude-pro[.]com or any URL that ends in Claude-Pro-windows-x64.zip
UDP traffic to port 8080 from an unexpected process

A simple existence check for those filenames in the Startup folder is enough to spot most infections without specialized tooling. Anthropic does not ship a Windows desktop client under a "Claude Pro" name, so the binary itself is the indicator.

What to Do

For individuals:

Use claude.ai directly. Anthropic's product is browser based. The official desktop offering is the Claude Code CLI for developers. Any other Windows installer claiming to be Claude is suspect.
Avoid sponsored search results for AI tools. Several recent malware campaigns including this one rely on either typosquatted domains or paid ads to outrank the legitimate sites.
Download only from the vendor's primary domain. For Anthropic that is anthropic.com and claude.ai. Subdomains like claude-pro[.]com are unrelated.

For IT and security teams:

Block the domains. Add claude-pro[.]com and license[.]claude-pro[.]com to DNS sinkholes and proxy denylists.
Hunt for the filenames. Sweep endpoints for NOVupdate.exe, NOVupdate.exe.dat, and avk.dll outside C:\Program Files directories.
Rethink the trust model on signed binaries. A signature on the loader does not vouch for what it loads. Detections built on EDR telemetry around DLL sideloading from user writable directories will catch this technique even when the parent binary is signed.
Inventory the AI tools your employees actually use. If you do not know what they have installed, you cannot warn them about specific fakes.

Why This Pattern Will Repeat

DLL sideloading through legitimate signed binaries is one of the highest leverage techniques an operator has in 2026. It bypasses code signing, it inherits the parent process's allowlist status, and it produces telemetry that looks like benign third party software updating itself. That is why CrowdStrike, SentinelOne, Trellix, Microsoft Defender, and now G Data have all been impersonated by the same campaign over the past several months.

The next variant will rotate to whichever vendor binary survives the longest in vendor catalogs without being flagged as side loadable. The lure will keep changing too—Beagle has been pushed under the names of multiple security products before settling on Claude Pro. The right defense is not waiting for the next IOC list. It is hunting for the technique itself.