What's Happening?
A fraudulent website mimicking Anthropic's Claude AI platform has been identified as distributing a new backdoor malware named Beagle. This site, claude-pro[.]com, is part of a malvertising campaign that uses a Dynamic Link Library (DLL) sideloading technique
to install the malware. The site offers a fake tool called Claude-Pro Relay, which is downloaded as a large ZIP archive. Upon installation, it places several files in the user's startup folder, including a signed antivirus updater and a malicious DLL. The legitimate updater is exploited to sideload the malicious DLL, which then decrypts and executes a payload using DonutLoader, ultimately deploying the Beagle backdoor. This backdoor is capable of executing shell commands, transferring files, and more. The campaign has been traced to a server established in March 2026, and it uses Cloudflare for malware distribution and Alibaba Cloud for command-and-control infrastructure.
Why It's Important?
This development highlights the ongoing threat of cyberattacks leveraging fake websites and sophisticated malware delivery methods. The use of a signed antivirus updater to sideload malicious code underscores the challenges in detecting and preventing such attacks. The Beagle backdoor's capabilities pose significant risks to affected systems, allowing attackers to execute commands and exfiltrate data. The campaign's use of reputable cloud services for distribution and control complicates efforts to dismantle the operation, indicating a level of sophistication and persistence. This incident serves as a reminder of the importance of cybersecurity vigilance and the need for robust defenses against evolving threats.
What's Next?
Organizations and individuals are advised to remain vigilant against phishing and malvertising campaigns. Cybersecurity professionals may need to enhance monitoring and detection capabilities to identify similar threats. The use of legitimate cloud services for malicious purposes may prompt discussions on improving security measures and cooperation between service providers and cybersecurity entities. Further analysis of the Beagle backdoor and its variants could provide insights into the threat actor's tactics and potential future attacks.
