Cybersecurity experts from Malwarebytes have found a malicious new campaign where scammers use the popularity of Anthropic’s AI tool Claude to spread malware. Reportedly, hackers made a fake website that looks just like the official one from Anthropic and offers a Pro version of the tool for Windows to lure people into downloading a malicious file.
The scam kicks in after the user is led to visit a site via phishing emails and downloads a folder named Claude-Pro-windows-x64.zip. There’s an n MSI installer inside it that places a shortcut called Claude AI.lnk on the desktop, which runs a VBScript when clicked.
This script first launches the original Claude app to keep the user distracted and simultaneously installs the PlugX malware to allow hackers to remotely control the compromised device.
How the attack works in secret
The hackers use a method called DLL sideloading. Basically, they use a real, safe file named NOVUpdate.exe from a security company called G DATA.
Since this is a signed and official file, the computer thinks it is safe. However, the hackers have already hidden a malicious file named avk.dll and a data file called NOVUpdate.exe.dat next to it. When the safe file runs, it accidentally opens these malicious ones too.
According to Malwarebytes investigation, PlugX also gets itself added to the Windows Startup folder to get persistent access. This allows it to start every time the computer turns on, and in just 22 seconds of being installed, it starts communicating with the hackers by connecting to a server at the IP address 8.217.190.58 on Port 443. This server is part of Alibaba Cloud, which threat actors frequently use to hide their tracks. It even modifies the TCP/IP registry key to help it communicate.
“PlugX has historically been associated with espionage operators linked to Chinese state interests. However, researchers have noted that PlugX source code has circulated in underground forums, broadening the pool of potential operators. Attribution based on tooling alone is not definitive,” Malwarebytes researchers noted in the blog post.
Signs to check for
You can easily detect that this software is fake because of a simple spelling mistake. The hackers created a folder named “Cluade” instead of Claude at C:\Program Files (x86)\Anthropic\Claude\Cluade. For staying hidden, it uses a script called del.vbs.bat that deletes itself after installation, and even uses a silent error trick to ensure no warning messages pop up if the installation fails.
The hackers are also staying active. Researchers observed them using Kingmailer on 28 March 2026 and switching to CampaignLark on 5 April 2026 to distribute phishing emails. This is why security experts always recommend downloading AI tools only from official sites, in this case, claude.com. If you see files like NOVUpdate.exe or avk.dll in your Startup folder, disconnect from the internet and change your passwords immediately.
Expert’s insights
Yagub Rahimov, CEO of Polygraf AI, shared his views on this campaign exclusively with Hackread.com. He noted that while the lure is new, the strategy is a familiar one.
“We’ve seen this exact playbook before. The bait changes – early 2025, it was DeepSeek, with fake installer sites with DLL sideloading to load backdoors and infostealers, but the method underneath hasn’t changed in years. Signed binary, malicious DLL, encrypted payload. TA416 has been running this exact structure to deploy PlugX since 2022, and has been updating the infection chain while keeping the same approach. Why do they keep using it? Because it works. A legit signed executable doesn’t get flagged. The malicious DLL it loads gets that trust, and when the dropper has deleted itself, there is nothing obvious to be found.”
Rahimov further explained that the rise of AI tools has changed the types of people being targeted by hackers. “What has changed is who is getting targeted. AI tools expanded the pool way too much – it’s not people downloading pirated software anymore. These AI tools no longer target just graphic designers; anyone can be lured in by a seemingly harmless ad. The attackers figured that out before the defenders did.”
