{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/g-data-antivirus-products/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Claude","G DATA antivirus products","Microsoft Defender"],"_cs_severities":["high"],"_cs_tags":["malvertising","dll sideloading","backdoor","beagle","donutloader"],"_cs_type":"advisory","_cs_vendors":["Anthropic","G DATA","Microsoft"],"content_html":"\u003cp\u003eA fake website mimicking Anthropic\u0026rsquo;s Claude AI platform (claude-pro[.]com) is distributing malware via malvertising. The site offers a \u0026ldquo;Claude-Pro Relay\u0026rdquo; download, which is a large ZIP archive containing a malicious MSI installer. The installer drops a trojanized version of the G DATA antivirus updater (NOVupdate.exe), a malicious DLL (avk.dll), and an encrypted data file into the user\u0026rsquo;s startup folder. This leverages DLL sideloading to execute a previously undocumented backdoor, dubbed \u0026ldquo;Beagle.\u0026rdquo; The attack shares characteristics with PlugX campaigns but utilizes distinct malware components. The threat actor may have inadvertently disclosed their CloudFlare origin certificate, indicating a possible hosting server (209[.]189[.]190[.]206), and are also linked to the domain vertextrust-advisors[.]com (178[.]128[.]108[.]89), registered in mid-April 2026, posing as a legal advisory service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user clicks on a malvertisement, leading them to the malicious claude-pro[.]com website.\u003c/li\u003e\n\u003cli\u003eThe user downloads the \u0026ldquo;Claude-Pro Relay\u0026rdquo; software, a ZIP archive named Claude-Pro-windows-x64.zip.\u003c/li\u003e\n\u003cli\u003eThe user extracts and executes the Claude.msi installer.\u003c/li\u003e\n\u003cli\u003eThe installer drops NOVupdate.exe (a legitimate, signed G DATA updater), avk.dll (a malicious DLL), and NOVupdate.exe.dat (an encrypted data file) into the user\u0026rsquo;s startup folder.\u003c/li\u003e\n\u003cli\u003eUpon system startup, NOVupdate.exe executes and attempts to load avk.dll from the same directory, sideloading the malicious DLL instead of the legitimate one.\u003c/li\u003e\n\u003cli\u003eThe malicious avk.dll decrypts and executes DonutLoader shellcode from NOVupdate.exe.dat.\u003c/li\u003e\n\u003cli\u003eDonutLoader loads the Beagle backdoor into memory.\u003c/li\u003e\n\u003cli\u003eBeagle establishes a connection with its command-and-control server (license[.]claude-pro[.]com) over TCP (443) and/or UDP (8080), awaiting further instructions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack leads to the installation of the Beagle backdoor on the victim\u0026rsquo;s system, allowing the attacker to perform various malicious activities, including data theft, remote control, and further malware deployment. The use of a signed G DATA executable for DLL sideloading allows the attackers to bypass some security measures, potentially impacting systems even with antivirus solutions installed. While the exact number of victims is unknown, this campaign leverages widespread malvertising, suggesting a broad potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the malicious domains and IPs associated with this campaign (claude-pro[.]com, vertextrust-advisors[.]com, license[.]claude-pro[.]com, 209[.]189[.]190[.]206, 178[.]128[.]108[.]89, 8[.]217[.]190[.]58) at the DNS resolver and firewall.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious DLL Sideloading with G DATA Updater\u0026rdquo; to detect the execution of the malicious avk.dll.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for NOVupdate.exe loading unexpected DLLs using process_creation logs.\u003c/li\u003e\n\u003cli\u003eInvestigate systems where files named avk.dll, NOVupdate.exe, and NOVupdate.exe.dat are found together in the same directory, especially within startup folders.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T00:00:00Z","date_published":"2026-05-07T00:00:00Z","id":"/briefs/2026-05-claude-pro-backdoor/","summary":"A malicious website impersonating Anthropic's Claude AI platform delivers the Beagle backdoor through a DLL sideloading attack, leveraging a compromised G DATA antivirus updater to execute malicious code.","title":"Fake Claude AI Site Spreads Beagle Backdoor via DLL Sideloading","url":"https://feed.craftedsignal.io/briefs/2026-05-claude-pro-backdoor/"}],"language":"en","title":"CraftedSignal Threat Feed — G DATA Antivirus Products","version":"https://jsonfeed.org/version/1.1"}