EXECUTIVE SUMMARY:
Attackers target Claude's rapid growth, with nearly 290 million web visits per month, by creating a fake website impersonating Anthropic's Claude. The domain mimics Claude's official site, and visitors who download the ZIP archive receive a copy of Claude that installs and runs as expected. However, in the background, it deploys a PlugX malware chain that gives attackers remote access to the system. The ZIP contains an MSI installer that installs to a path designed to mimic a legitimate Anthropic installation.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Attackers target Claude's rapid growth, with nearly 290 million web visits per month, by creating a fake website impersonating Anthropic's Claude. The domain mimics Claude's official site, and visitors who download the ZIP archive receive a copy of Claude that installs and runs as expected. However, in the background, it deploys a PlugX malware chain that gives attackers remote access to the system. The ZIP contains an MSI installer that installs to a path designed to mimic a legitimate Anthropic installation.[emaillocker id="1283"]
The installer places a shortcut on the Desktop pointing to a VBScript dropper, which locates the real application and runs it in the foreground. The dropper then creates a new shortcut pointing directly to the real application, leaving the victim with a working shortcut going forward. The malicious DLL (PlugX loader) is delivered through a malicious file, and the encrypted payload is transferred over a C2 channel.
The campaign shows a convincing fake Claude site serving PlugX malware. The attackers maintain and rotate their sending capability, using two commercial bulk-email platforms. The campaign's scale and regions are not specified, but it highlights the importance of monitoring for similar threats in the future.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Command & Control | B0030 | C2 Communication |
| Impact | B0022 | Remote Access |
| Execution | E1204 | User Execution |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Anti-Static Analysis | E1027 | Obfuscated Files or Information |
| Command & Control | E1105 | Ingress Tool Transfer |
| Exfiltration | E1020 | Automated Exfiltration |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]