What does the fake Claude site do exactly?

It serves a ZIP with a working Claude clone that secretly installs PlugX RAT via DLL sideloading, granting attackers remote control.

How to remove PlugX from fake Claude install?

Kill NOVUpdate.exe in Task Manager, delete Startup files (NOVUpdate.exe, avk.dll, .dat), scan with updated AV, check C:\Program Files (x86)\Anthropic\Claude\Cluade\.

Is PlugX only targeting Claude users?

No—it's versatile, but Claude's 290M visits make it ideal now; watch for fakes on other AI tools.

📋 Compliance & Policy

Fake Claude Site Drops PlugX via Signed Antivirus Sideloading

Claude racks up 290 million monthly visits, prime bait for scammers. One fake site slips in PlugX malware through a clever DLL sideloading trick that antivirus might miss.

theAIcatchup Apr 10, 2026 3 min read

Fake Claude Pro download page showing ZIP file with PlugX malware warning overlay

⚡ Key Takeaways

Fake Claude site uses signed G Data binary for DLL sideloading to deploy PlugX RAT undetected. 𝕏
Execution chain: VBS dropper self-deletes, phones home in 22 seconds via Alibaba IP. 𝕏
AI desktop apps like Claude invite installer-based attacks; expect more as traffic surges. 𝕏

Published by

theAIcatchup

Threat intelligence. Zero noise.

#Anthropic phishing #Claude malware #DLL sideloading #PlugX RAT

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Malwarebytes Labs

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

Hidden Gemini Keys in Top Android Apps: 500 Million Users' Data on the Line

Shadow AI: Enterprises' Invisible Data Leak Factory

Microsoft's Silent Account Purge Leaves Windows Users Exposed to Unpatched Security Tools

Microsoft's 2026 Warning: Water Utilities Still One Hack Away From Chaos

Stay in the loop