Fake Claude site delivers PlugX malware via sideloading attack
Attack details
A fake website impersonating Anthropic's Claude serves a trojanized installer that deploys PlugX malware. The domain mimics Claude's official site, and visitors who download the ZIP archive receive a copy of Claude that installs and runs as expected while deploying malware in the background.
Technical execution
The fake site offers a file called Claude-Pro-windows-x64.zip. The ZIP contains an MSI installer that installs to C:\Program Files (x86)\Anthropic\Claude\Cluade\ - note the misspelling "Cluade" as a red flag. The installer places a shortcut Claude AI.lnk on the Desktop pointing to Claude.vbs inside the SquirrelTemp directory.
When executed, the VBScript dropper:
- Locates and runs the legitimate
claude.exefromC:\Program Files (x86)\Anthropic\Claude\Cluade\claude.exe - Creates a new shortcut
Claude.lnkon the Desktop pointing directly toclaude.exe - Copies three files from SquirrelTemp to the Windows Startup folder:
NOVUpdate.exe,avk.dll, andNOVUpdate.exe.dat - Launches
NOVUpdate.exewith a hidden window (window style 0)
Malware deployment
This is a DLL sideloading attack (MITRE T1574.002). NOVUpdate.exe is a legitimately signed G DATA antivirus updater that attempts to load avk.dll from its directory. The attacker substitutes a malicious version of avk.dll that reads and decrypts payload from the accompanying .dat file.
This three-component sideloading triad (signed executable, trojanized DLL, encrypted data file) is characteristic of the PlugX malware family, a remote access Trojan tracked since 2008.
Behavior and infrastructure
Sandbox analysis shows NOVUpdate.exe establishes outbound TCP connections to 8.217.190.58 on port 443 within 22 seconds of execution. The IP falls within an Alibaba Cloud-associated address range (8.217.x.x). The malware also modifies the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters.
The dropper script includes anti-forensic measures: after deploying payload files, it writes a batch file ~del.vbs.bat that waits two seconds, then deletes both the original VBScript and the batch file itself.
📖 Read the full source: HN AI Agents
👀 See Also
Unsecured Paperclip Instances Exposing Live Dashboards via Google Search
A Reddit user discovered a live Paperclip dashboard with full organizational data indexed by Google after searching for an error. The instance was publicly exposed without authentication, revealing org charts, agent conversations, task assignments, and business plans.
Security vulnerabilities exposed in Lovable-showcased EdTech app
A security researcher found 16 vulnerabilities in a Lovable-showcased EdTech app, including critical auth logic flaws that exposed 18,697 user records without authentication. The app had 100K+ views on Lovable's showcase and real users from UC Berkeley, UC Davis, and schools worldwide.
Using Claude to audit OpenClaw setup reveals security issues
A developer used Claude to review their OpenClaw installation and discovered the bot was writing API keys in clear text in memory and JSON files, along with other security concerns.
Claude's Security Review Command Has Limitations for Production Systems
A developer found Claude's security review command helpful for basic validation like MIME types and file size limits, but insufficient for production hardening against sophisticated threats. The solution required a two-week architectural overhaul separating file processing into a restricted worker with limited permissions.