A fake Claude AI installer has been found delivering the PlugX remote access trojan by abusing DLL sideloading, according to Malwarebytes. The rogue site offers a ZIP archive presented as a “pro version” installer for Claude, which drops an MSI that mimics a legitimate setup and includes a misspelled folder name to avoid suspicion.
The malware uses DLL sideloading to load a malicious avk[.]dll via a legitimately signed NOVUpdate[.]exe updater, with the three dropped files NOVUpdate[.]exe, avk[.]dll and NOVUpdate.exe[.]dat copied into the Windows Startup folder and launched invisibly. The dropper script finally decrypts and executes the payload stored in the .dat file, a three-part structure that is typical of PlugX, and a VBScript that self-deletes after execution to hinder analysis.
Sandbox observations show the executable contacting 8.217.190[.]58 over HTTPS from Alibaba Cloud within 22 seconds, and research notes MITRE technique T1574.002 for DLL sideloading. The campaign combines a proven sideloading method with an AI-themed lure to trick users into running the trojanized installer.