Fake Claude AI Site Spreads Beagle Backdoor Malware on Windows

Security researchers have uncovered a phishing campaign that spoofs the official Anthropic Claude AI portal to distribute a new Windows backdoor dubbed “Beagle.” The fraudulent site uses a look‑alike domain such as claude‑ai‑pro[.]com and mimics the legitimate UI, offering a "Claude‑Pro Relay" download that claims to unlock premium features. Unsuspecting users who run the installer inadvertently execute a multi‑stage dropper that ultimately installs the Beagle payload on their machines.

The dropper is delivered as a self‑extracting RAR archive that extracts three components: a seemingly legitimate executable (claude.exe), a side‑loading DLL (claude.dll), and a JSON‑encoded configuration file (settings.json). When launched, claude.exe loads claude.dll via DLL side‑loading. Inside the DLL resides the Beagle backdoor, written in C++ and equipped with anti‑virtualization checks (CPUID, WMI queries) that delay execution if a sandbox or VM is detected. The backdoor decrypts its command‑and‑control (C2) address from settings.json using AES‑256 and establishes communication over HTTPS, often domain‑fronted through a popular CDN to blend with legitimate traffic.

Once active, Beagle provides a full-featured remote access toolkit: it can execute arbitrary shellcode, spawn new processes, create scheduled tasks for persistence, and exfiltrate system information (hostname, OS version, user accounts). The malware also supports module downloads, allowing the attacker to extend functionality on the fly—observed in recent campaigns delivering a secondary coin‑miner payload. Communication packets are encrypted with a custom protocol, and the backdoor employs process‑hollowing into legitimate Windows processes (e.g., svchost.exe) to evade detection by behavioral‑based security products.

Indicators of compromise (IOCs) include the malicious installer SHA‑256 hash (e.g., a3f8b2c9…), the C2 domain (claude‑relay‑api[.]net), and the scheduled task named “ClrComponent.” Security teams are advised to block the fraudulent domain, enforce strict URL filtering for look‑alike domains, and ensure endpoint protection rules detect the DLL side‑loading technique. YARA rules and AV signatures have been released to identify the Beagle payload, and organizations should audit software distribution channels to prevent similar supply‑chain social‑engineering attacks.