The Claude AI Trap: Sophos Uncovers Undocumented Backdoor Hiding in Fake “Pro” Lure

As the popularity of generative AI tools soars, cybercriminals are increasingly capitalizing on the hype to deploy sophisticated malware. According to a new investigation by Sophos X-Ops, threat actors have launched a deceptive website mimicking Anthropic’s Claude AI to distribute a novel malware payload.

The campaign centers around a fraudulent domain, claude-pro[.]com, which was designed to look like a premium or developer-focused Claude service. The fake site mirrors the genuine site’s fonts and color palettes to trick unsuspecting users, although researchers noted that “the fake version is noticeably simplistic, with only a handful of links – most of which redirect to the site’s front page”.

This tactic aligns with a growing industry trend where attackers are actively “crafting lures that imitate legitimate AI sites (often as part of malvertising campaigns)” to compromise tech-savvy targets.

When Sophos X-Ops initially analyzed the threat, the attack chain’s characteristics strongly resembled those typical of PlugX malware campaigns. However, a deeper dive revealed a different, more concerning reality. Upon closer inspection, the researchers discovered “a first-stage DonutLoader payload, followed by what is, to our knowledge, a previously undocumented backdoor”.

The attack leverages a specific sideloading chain involving G DATA artifacts—a technique previously heavily associated with PlugX operations. The deployment of an entirely new backdoor instead of the expected payload suggests an evolution in adversary tactics. Sophos notes this “may therefore be an example of a threat actor retooling (e.g., retaining the same infection chain, but swapping PlugX for an alternative), or imitating an infection chain used by another threat actor”.

The threat actors behind this campaign have taken deliberate steps to protect their operations from security researchers and law enforcement. Sophos X-Ops observed that while both the malware distribution and the Command and Control (C2) operate under the same domain, they utilize distinctly different hosting infrastructures.

The initial malware distribution was funneled through Cloudflare, while the C2 servers were hosted on Alibaba Cloud. This split-infrastructure setup was likely chosen “potentially to add some friction to disruption and takedown opportunities”.

Furthermore, researchers identified a relatively unique XOR key used in this campaign that also appears in other malware samples featuring varying payloads and infection chains. While this could indicate that attackers are actively “tweaking and swapping tactics, techniques, and procedures (TTPs),” Sophos cautions that further evidence would be required to definitively link all these disparate samples to a single, unified threat actor.

As AI tools remain highly sought after by developers and enterprise users alike, security teams must remain vigilant against simplistic but effective lures offering “supercharged” or “pro” versions of popular platforms.