Fake Claude site delivers PlugX malware via sideloading attack
Attack details
A fake website impersonating Anthropic's Claude serves a trojanized installer that deploys PlugX malware. The domain mimics Claude's official site, and visitors who download the ZIP archive receive a copy of Claude that installs and runs as expected while deploying malware in the background.
Technical execution
The fake site offers a file called Claude-Pro-windows-x64.zip. The ZIP contains an MSI installer that installs to C:\Program Files (x86)\Anthropic\Claude\Cluade\ - note the misspelling "Cluade" as a red flag. The installer places a shortcut Claude AI.lnk on the Desktop pointing to Claude.vbs inside the SquirrelTemp directory.
When executed, the VBScript dropper:
- Locates and runs the legitimate
claude.exefromC:\Program Files (x86)\Anthropic\Claude\Cluade\claude.exe - Creates a new shortcut
Claude.lnkon the Desktop pointing directly toclaude.exe - Copies three files from SquirrelTemp to the Windows Startup folder:
NOVUpdate.exe,avk.dll, andNOVUpdate.exe.dat - Launches
NOVUpdate.exewith a hidden window (window style 0)
Malware deployment
This is a DLL sideloading attack (MITRE T1574.002). NOVUpdate.exe is a legitimately signed G DATA antivirus updater that attempts to load avk.dll from its directory. The attacker substitutes a malicious version of avk.dll that reads and decrypts payload from the accompanying .dat file.
This three-component sideloading triad (signed executable, trojanized DLL, encrypted data file) is characteristic of the PlugX malware family, a remote access Trojan tracked since 2008.
Behavior and infrastructure
Sandbox analysis shows NOVUpdate.exe establishes outbound TCP connections to 8.217.190.58 on port 443 within 22 seconds of execution. The IP falls within an Alibaba Cloud-associated address range (8.217.x.x). The malware also modifies the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters.
The dropper script includes anti-forensic measures: after deploying payload files, it writes a batch file ~del.vbs.bat that waits two seconds, then deletes both the original VBScript and the batch file itself.
📖 Read the full source: HN AI Agents
👀 See Also
Open-source playground for red-teaming AI agents with published exploits
Fabraix has open-sourced a live environment to stress-test AI agent defenses through adversarial challenges. Each challenge deploys a live agent with real tools and published system prompts, with winning conversation transcripts and guardrail logs documented publicly.
Google Reports AI-Powered Hacking Reached Industrial Scale in 3 Months
Google's threat intelligence group found criminal and state groups are using commercial AI models (Gemini, Claude, OpenAI) to refine and scale attacks. A group nearly leveraged a zero-day for mass exploitation, and others are experimenting with the unguarded OpenClaw agent.
Windows Notepad App Remote Code Execution Vulnerability CVE-2026-20841
CVE-2026-20841 is a remote code execution vulnerability in the Windows Notepad app. Details and mitigation steps are available in the Microsoft Security Response Center update guide.
ThornGuard: A Proxy Gateway to Secure MCP Server Connections from Prompt Injection
ThornGuard is a proxy that sits between MCP clients and upstream servers, scanning traffic for injection patterns, stripping PII, and logging to a dashboard. It was built after testing revealed vulnerabilities where servers could embed hidden instructions in tool responses.