Malwarebytes researcher Stefan Dasic documented a phishing campaign that uses a fake Claude website to distribute PlugX malware. The attackers built a convincing download page offering a "Pro" version of Anthropic's AI assistant. When victims download and install the file, they get the real Claude application running in the foreground. But behind the scenes, a VBScript dropper quietly copies three files into the Windows Startup folder and establishes remote access to the machine. The first command-and-control connection happened just 22 seconds after execution.
The attack chain relies on DLL sideloading, a technique tracked as MITRE T1574.002. The dropper places a legitimately signed G DATA antivirus updater (NOVUpdate.exe) alongside a malicious DLL (avk.dll) and an encrypted data file. When the updater runs, it loads the malicious DLL instead of the real G DATA component. It works because the parent executable looks benign to security tools. The installation path contains a telltale misspelling ("Cluade" instead of "Claude") and the dropper deletes itself after running to avoid leaving traces. The fake site also maintained active mail-sending infrastructure through bulk email platforms Kingmailer and CampaignLark.
This sideloading technique isn't new. Lab52 documented the same G DATA abuse pattern in a February 2026 campaign that used fake meeting invitations as bait. PlugX itself has been tracked in espionage campaigns since at least 2008 and is consistently linked to China-aligned threat actors including Mustang Panda and APT41. The source code has circulated in underground forums, so attribution based on tooling alone remains uncertain. Claude's 290 million monthly visits make it an obvious target for this kind of social engineering.