Donuts and Beagles: Fake Claude site spreads backdoor

    Monday, May 11, 2026 In: Threat Research Print

    Date: 05/11/2026

    Severity: High

    Summary

    We investigated reports of a fake Claude AI website spreading malware. At first, the attack appeared similar to known PlugX campaigns due to shared techniques. Closer analysis revealed a first-stage DonutLoader payload and a previously undocumented backdoor. The malicious domain, claude-pro[.]com, closely imitates the legitimate Claude website’s design and branding. However, the fake site is far more simplistic, with limited links that mostly redirect to the homepage.

    Indicators of Compromise (IOC) List   

    Domains/URLs :

    claude-pro.com

    license.claude-pro.com

    www.gouvvbo.top

    update-trellix.com

    IP Address : 

    8.217.190.58

    Hash : 

    35feef0e6806c14f4ccdb4fceff8a5757956c50fb5ec9644dedae665304f9f96

    86a6ffa23e924d1afbfb31b55fe780916cf3c9a4f8c3165542fdd726783fc796

    d5590802bf0926ac30d8e31c0911439c35aead82bf17771cfd1f9a785a7bf143

    7f50afef2d6e52a160cceb5f2c9945ce89b8e923836e0e550245a46509a98851

    99cb90a3cd46650b8b766c658b7af1b8bbe54a2ac7dcf61429686fd1c548395b

    0a19870ba24aeb9d4b5dde091ef8071d76f8a5e43ac8c6f5b9f283020580a60a

    2c30c20854e1f6a493aef344cea2d114c566ebae096c3c75508f4e03d5492288

    e6d66d192a779f195426db94d2568c03a9bd0d2e8f1972aa32a0317940ae19c2

    46dea8c1af85134a7b15fc7168386eadd15474b1a6159567b24e83d8a30fc6ef

    a3c5c7253c0b3ed92e86dc5661d8530a0e8acdf8768e80362e5fe897ccb6cd84

    4457ed2e5ef770f70596735a6bac03f78e426a548335742ac761fba60f987a26

    be153ac4db95db7520049a4c1e5182be07d27d2c11088a2d768e931b9a981c7f

    8ac88aeecd19d842729f000c6ab732261cb11dd15cdcbb2dd137dc768b2f12bc

    586f27257d3eaee7d4bec9e9207c317a9caeded95eca3969739d7e8181d24620

    33f0caec6f03727fc77ca656ab92cbf20fed53f0fe85a06ec9620aab5e8c9e27

    Filename : 

    Claude-Pro-windows-x64.zip

    Claude.msi

    DeviceSync.zip

    Estado de Cuenta.zip

    NOVupdate.exe

    NOVupdate.exe.dat

    avk.dll

    MpCopyAccelerator.exe

    MpClient.dll

    Windows.log

    hostfxr.dll

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "www.gouvvbo.top" or url like "www.gouvvbo.top" or siteurl like "www.gouvvbo.top" or domainname like "claude-pro.com" or url like "claude-pro.com" or siteurl like "claude-pro.com" or domainname like "license.claude-pro.com" or url like "license.claude-pro.com" or siteurl like "license.claude-pro.com" or domainname like "update-trellix.com" or url like "update-trellix.com" or siteurl like "update-trellix.com"

    Detection Query 2 :

    dstipaddress IN ("8.217.190.58") or srcipaddress IN ("8.217.190.58")

    Detection Query 3 :

    sha256hash IN ("a3c5c7253c0b3ed92e86dc5661d8530a0e8acdf8768e80362e5fe897ccb6cd84","35feef0e6806c14f4ccdb4fceff8a5757956c50fb5ec9644dedae665304f9f96","46dea8c1af85134a7b15fc7168386eadd15474b1a6159567b24e83d8a30fc6ef","586f27257d3eaee7d4bec9e9207c317a9caeded95eca3969739d7e8181d24620","0a19870ba24aeb9d4b5dde091ef8071d76f8a5e43ac8c6f5b9f283020580a60a","4457ed2e5ef770f70596735a6bac03f78e426a548335742ac761fba60f987a26","e6d66d192a779f195426db94d2568c03a9bd0d2e8f1972aa32a0317940ae19c2","86a6ffa23e924d1afbfb31b55fe780916cf3c9a4f8c3165542fdd726783fc796","d5590802bf0926ac30d8e31c0911439c35aead82bf17771cfd1f9a785a7bf143","7f50afef2d6e52a160cceb5f2c9945ce89b8e923836e0e550245a46509a98851","99cb90a3cd46650b8b766c658b7af1b8bbe54a2ac7dcf61429686fd1c548395b","2c30c20854e1f6a493aef344cea2d114c566ebae096c3c75508f4e03d5492288","be153ac4db95db7520049a4c1e5182be07d27d2c11088a2d768e931b9a981c7f","8ac88aeecd19d842729f000c6ab732261cb11dd15cdcbb2dd137dc768b2f12bc","33f0caec6f03727fc77ca656ab92cbf20fed53f0fe85a06ec9620aab5e8c9e27")

    Detection Query 4 :

    resourcename = "Windows Security" and eventtype = "4663" and objectname in ("Claude-Pro-windows-x64.zip","Claude.msi","DeviceSync.zip","Estado de Cuenta.zip","NOVupdate.exe","NOVupdate.exe.dat","avk.dll","MpCopyAccelerator.exe","MpClient.dll","Windows.log","hostfxr.dll")

    Detection Query 5 :

    technologygroup = "EDR" and objectname in ("Claude-Pro-windows-x64.zip","Claude.msi","DeviceSync.zip","Estado de Cuenta.zip","NOVupdate.exe","NOVupdate.exe.dat","avk.dll","MpCopyAccelerator.exe","MpClient.dll","Windows.log","hostfxr.dll")

    Reference:    

    https://www.sophos.com/en-us/blog/donuts-and-beagles-fake-claude-site-spreads-backdoor


    Tags

    MalwareBackdoorAIPlugXFake software

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.