MALWAREBYTES reports a fake Claude download page that serves a trojanized installer, deception aimed at exploiting Claude’s popularity with around 290 million visits per month. The ZIP contains an MSI installer that writes to a directory mimicking a legitimate Anthropic installation, including the misspelling Cluade, and a VBScript dropper that leads to a signed sideloading chain.
A three-file package—NOVUpdate[.]exe, avk[.]dll, and NOVUpdate.exe[.]dat—is placed in the Startup folder, where NOVUpdate[.]exe is launched as a hidden process, loading a malicious avk[.]dll via DLL sideloading (MITRE T1574.002), forming a PlugX remote-access Trojan chain. The campaign’s sandbox findings show outbound connections to 8.217.190[.]58:443 soon after execution, with the IP addressing an Alibaba Cloud–associated range, while the dropper cleans up its tracks by deleting itself.
A known playbook referenced by Lab52 shares the same three-file sideloading pattern but with a different payload, underscoring the reuse of a proven technique alongside a timely lure. According to Stefan Dasic, this demonstrates how attackers combine trusted-looking software with a convincing social engineering hook to bypass detection, as updates and a legitimate updater are spoofed to disguise malicious activity. 10 April 2026