Security researchers at Sophos X-Ops have uncovered a sophisticated campaign in which threat actors exploit the strong interest in artificial intelligence to distribute malware. The operation centers on a deceptive website that convincingly mimics the official interface of Claude, the AI assistant developed by Anthropic.
To drive traffic to the fake site, the attackers used search engine optimization (SEO) and malicious search ads. By manipulating search results, they redirected users looking for legitimate AI tools to the counterfeit domain.
This approach allows threat actors to target people who are actively seeking AI-related tools and downloads, increasing the likelihood of a successful infection.
Reworking familiar attack chains
Initial analysis suggested the campaign followed a well-known PlugX attack chain, a technique commonly used by various threat groups. Sophos researchers found, however, that while the techniques appeared familiar, the payload was in fact a previously unknown backdoor.
This indicates that attackers are actively evolving established attack methods to deliver new, harder-to-detect malware rather than relying on older, static strategies.
The technical execution of the attack is particularly notable because legitimate software components are abused to evade security defenses.
The infection chain involves a trusted, digitally signed antivirus component that is abused through a technique known as DLL sideloading. This allows malicious code to run under the guise of a legitimate process, making detection and blocking by traditional security products more difficult.
Memory-based loaders and advanced malware
The campaign employs a memory-resident Donut loader to execute its malicious instructions. Donut is a position-independent framework that enables execution of VBScript, JScript and .NET assemblies directly in system memory.
By avoiding writing files to disk, attackers reduce their digital footprint and can bypass many EDR (Endpoint Detection and Response) systems that primarily monitor file creation and modification.
Extensive network of fake domains
The investigation shows the fake Claude site is not an isolated incident. Sophos researchers identified a broader network of suspicious infrastructure and several copycat domains. Some of those sites even impersonated well-known security vendors, suggesting the operation is part of a larger, organized cybercriminal ecosystem.
The wider network demonstrates a high level of planning and resource allocation. By imitating security companies and well-known technology vendors, the attackers attempt to inspire trust and appear legitimate even to cautious users.
Researchers note that this multifaceted approach highlights how quickly emerging technology trends can be exploited by organized cybercriminal groups.
Sophos head of threat research, Gabor Szappanos, commented:
“This as-yet-unattributed campaign, which uses a fake Claude site as a cover for a malicious advertising operation, is the latest in a series of attacks where threat actors abuse popular AI brands to distribute malware and backdoors.”
He continued:
“What really stands out is the extensive effort to avoid detection. The attackers reused established techniques like DLL sideloading while swapping out the payload to evade traditional security tools.”
“In this case a signed antivirus update from G DATA was abused to sideload a malicious DLL that decrypted and executed Donut shellcode before deploying a previously unknown backdoor we call ‘Beagle.’”
Researchers also observed the same XOR key reused across several Donut-related samples earlier in the year, suggesting a long-term development of the actors’ TTPs (Tactics, Techniques and Procedures).
At the same time, malware distribution and the command-and-control infrastructure lived under the same domain but were deliberately hosted across different cloud providers to complicate takedown and tracking efforts.
AI hijacking expected to rise
As AI tools become more widespread in both personal and professional settings, researchers expect this type of “AI hijacking” to increase.
Rather than focusing solely on anomalous application behavior—such as legitimate security tools loading unexpected DLL files—Sophos recommends organizations enforce stricter policies that allow software to be downloaded only from official, verified sources.
Recommendations for organizations
The research underscores the importance of verifying the source of all software downloads. Organizations and individuals are advised to exercise caution with AI-related tools or applications distributed outside official marketplaces or developers’ own websites.
Security teams should also monitor for anomalies in system memory and investigate attempts at DLL sideloading, even when legitimate, signed executables are involved.
As attackers continue to refine their delivery methods, strong digital awareness and clear software procurement policies remain among the most effective defenses against social engineering–based campaigns of this kind.