Hacker News
Fake Claude Website Distributes PlugX RAT via DLL Sideloading — Malwarebytes Investigation
Malwarebytes researchers discovered a convincing fake Claude download site distributing PlugX malware through a trojanized MSI installer that mimics Anthropic's real installation chain. The installer runs the real Claude app as a decoy while deploying a VBScript dropper that abuses a signed G DATA antivirus updater for DLL sideloading. The campaign leverages bulk-email infrastructure (Kingmailer, CampaignLark) to drive traffic. A telltale misspelling — 'Cluade' in the install path — reveals the fraud.
Source
↳ Follow the thread