Fake Claude AI website is pushing a Windows backdoor through Google search results

A fake Claude AI website is pushing a new Windows backdoor through Google sponsored search results. The malicious domain, claude-pro[.]com, dresses itself up as the real Claude interface and offers a fake tool called Claude-Pro Relay. Sophos X-Ops published its full analysis of the campaign today. Malwarebytes found it first.

The pitch is aimed at developers. The site sells Claude-Pro Relay as a "high-performance relay service designed specifically for Claude Code developers." The only thing you can actually do on the page is click a download button. That pulls a 505MB ZIP file called Claude-Pro-windows-x64.zip, which contains an MSI installer. The installer drops three files into the Windows startup folder: a legitimate, signed G Data antivirus updater renamed NOVupdate.exe, an encrypted data file, and a malicious DLL named avk.dll. It installs into C:\Program Files (x86)\Anthropic\Claude\Cluade\ — note the misspelling — but nobody checks the install path.

How the infection chain works

The signed G Data binary is used to sideload avk.dll. That is the core of the technique — borrowing the trust of a legitimate security tool to slip past defences. The DLL decrypts the encrypted payload with a reversed XOR key, hands off to DonutLoader, and DonutLoader drops the Beagle backdoor onto the system.

Beagle phones home to licence[.]claude-pro[.]com on TCP port 443 or UDP port 8080. Traffic is encrypted with a hardcoded AES key, so it looks like normal HTTPS to anyone watching the wire. The backdoor runs eight commands: shell execution, file transfer, directory listing, and self-removal. That is enough for full remote access. It has nothing to do with the old Delphi-based Beagle worm from 2004 – different name, different beast entirely.

Sophos went in expecting PlugX. The sideloading setup – G Data binary, avk.dll, XOR-encrypted payload – is the same chain Lab52 documented in February 2026 in a PlugX campaign that used fake meeting invitations. The payload came out different. Sophos now thinks the attacker either retooled a known chain or lifted the technique from another group entirely.

The operators have not sat still. Malwarebytes tracked them switching bulk email providers from Kingmailer to CampaignLark in April 2026, rotating infrastructure to stay ahead of blocklists. The hosting server itself was stood up in March 2026, putting the start of the campaign about six weeks before today's public disclosure.

A pattern of AI-branded attacks

This is the third time in roughly a year that attackers have used AI tool branding to run a DLL sideloading campaign. Bitdefender caught fake Claude Code pages running through Google Ads in March 2026, using ClickFix to trick developers into pasting malicious terminal commands. Before that, fake DeepSeek installer sites ran the same sideloading chain in early 2025. The AI brand changes to match whatever is trending in search. The infection method does not.

The campaign runs through sponsored search results, which means the fake site sat above the real Claude listing for anyone who searched and clicked without checking the domain. Claude is only available at claude.com. Anthropic has not released anything called Claude-Pro Relay. Sophos says finding NOVupdate.exe or avk.dll in the Windows startup folder is a reliable sign the machine is compromised.

Notebookcheck previously covered a separate incident in which an AI coding agent running inside Cursor autonomously deleted a startup's entire production database and all backups without user confirmation, highlighting the growing risks of deploying AI tools without proper safeguards