Donuts and Beagles: Fake Claude site spreads backdoor

Sophos X-Ops describes a malvertising campaign that impersonates a legitimate AI site (claude-pro.com) to distribute an MSI (Claude.msi) which drops NOVupdate.exe, NOVupdate.exe.dat and avk.dll; the chain uses DLL sideloading to run Donut shellcode which loads a newly identified backdoor called 'Beagle' that communicates with license.claude-pro.com (8.217.190.58) over AES-encrypted TCP/UDP. The report includes protocol and key details, multiple related samples reusing an XOR key, IOCs (domains, IPs, filenames), and mitigation advice and detection names.