Fake Claude Website Distributes PlugX RAT
securityweekThe malware mimics the legitimate Anthropic installation, relies on DLL sideloading, and cleans up after itself.
A website posing as a legitimate Anthropic Claude domain was caught serving a remote access trojan to its visitors, Malwarebytes reports.
Relying on Claude’s popularity, a threat actor created a site that hosts a download link pointing to a ZIP archive allegedly containing a pro version of the LLM.
The file contains an MSI installer that mimics the legitimate Anthropic installation chain and installs the real Claude application.
When the user attempts to launch the Claude app via the Desktop shortcut created during the installation, however, a VBScript dropper runs the real app in the foreground while installing malware in the background, Malwarebytes explains.
The VBScript drops three files in the startup folder, including NOVUpdate.exe, a signed G DATA antivirus updater abused for DLL sideloading to execute a PlugX malware variant.
Copyright of this story solely belongs to securityweek . To see the full text click HERE