A SecurityWeek article reports a fake Claude website that distributes the PlugX remote access Trojan, using a download link to a ZIP archive that supposedly contains a pro version of the Claude LLM. The site mimics the legitimate Anthropic installation chain, and the installer ultimately runs a VBScript dropper that launches the real Claude app while installing malware in the background.
According to Malwarebytes, the VBScript drops three files in the startup folder, including NOVUpdate[.]exe, a signed G DATA antivirus updater abused for DLL sideloading to execute a PlugX variant, which then creates a TCP connection to its C&C on Alibaba Cloud.
The infection chain was seen in February in a phishing campaign relying on fake meeting invitations to spread PlugX, with Malwarebytes noting that while PlugX has been historically linked to Chinese espionage groups, its source code has been shared among threat actors. The report, by Ionut Arghire, was published on 13 April 2026.