Hackers Use Fake Claude AI Site to Infect Users With New Beagle Malware

Sophos X‑Ops discovered a malvertising and SEO‑poisoning campaign using a fake "Claude" AI site (claude-pro.com) to distribute Claude-Pro-windows-x64.zip containing Claude.msi, which drops NOVupdate.exe, avk.dll, and NOVupdate.exe.dat; attackers abuse DLL sideloading of a signed G DATA executable and an in-memory Donut loader to install a new backdoor named Beagle that communicates with license.claude-pro.com (hardcoded key: beagle_default_secret_key_12345!). The report notes multi-month activity, XOR key reuse across samples, use of Cloudflare and Alibaba Cloud to frustrate takedown, and related domains impersonating security vendors.