Someone Is Impersonating Claude to Install Chinese Malware. We Found the C2 Cluster.

# Someone Is Impersonating Claude to Install Chinese Malware. We Found the C2 Cluster.

A fake website offering a "Pro" version of Claude — the AI assistant built by Anthropic, the same AI that powers our threat intelligence platform — is distributing PlugX, a remote access trojan used almost exclusively by Chinese state-nexus espionage groups. Malwarebytes published the analysis on April 10. SecurityWeek picked it up this morning.

This is personal for us. We are a Claude-powered platform. Our customers use Claude. Our operations run on Claude. When someone impersonates Claude to install a Chinese government RAT, the people targeted are our people.

We indexed the IOCs. Then we hunted. Here is what we found.

The attack

The fake site offers a download called Claude-Pro-windows-x64.zip. The ZIP contains an MSI installer that installs to a path mimicking Anthropic's real install directory — with a deliberate misspelling: C:\Program Files (x86)\Anthropic\Claude\Cluade\. The misspelling evades string-matching detection while looking legitimate to a casual observer.

The installer launches a real, working Claude application in the foreground. The victim sees Claude. It works. They use it. Meanwhile, the installer copies three files to the Windows Startup folder: a legitimate G DATA security updater (NOVUpdate.exe), a malicious DLL (avk.dll), and an XOR-encrypted payload (NOVUpdate.exe.dat). On next boot, the G DATA updater loads the malicious DLL via DLL sideloading, which decrypts and executes PlugX in memory.

PlugX beacons its command-and-control server within 22 seconds. The C2 is at 8.217.190.58 on port 443. That IP is on Alibaba Cloud.

The C2 cluster

When we indexed the C2 IP and cross-referenced it against our 1.07 million IOCs, we found it is not alone. The 8.217.0.0/16 Alibaba Cloud range contains four other C2 nodes already in our threat feed:

8.217.47.190 — SSL Blacklist: Unknown malware C2

8.217.211.42 — Behavioral Detection Energy score 80

8.217.212.0 — Behavioral Detection Energy score 80

8.217.212.86 — Behavioral Detection Energy score 80

Five C2 nodes in the same Alibaba Cloud /16. The new PlugX node sits in the same infrastructure neighborhood as four previously identified malware command-and-control servers. This is not a coincidence. This is a hosting pattern — Chinese APT operators using Alibaba Cloud international hosting for C2 infrastructure because it provides geographic deniability while remaining under Chinese jurisdiction.

The Alibaba thread

This is the third time this week that Alibaba infrastructure has appeared in our investigations.

On Saturday, we published a three-part investigation into a persistent probe of our STIX/TAXII threat intelligence feed. The actor — operating from AT&T Wireless near Kennedy Space Center — used a GitHub handle belonging to a developer at Alibaba Group in Beijing as the collection identifier in their TAXII polling script. That developer's active secondary account runs a Chinese-language AI tools blog covering Claude Code and LLM benchmarks.

Today, the PlugX RAT impersonating Claude phones home to Alibaba Cloud.

One is an Alibaba employee's GitHub handle on a STIX feed probe. The other is Alibaba Cloud hosting a PlugX C2 server for a fake Claude installer. Different operations, different actors, different techniques. Same company's infrastructure. Same week.

We are not attributing these operations to Alibaba Group the company. We are observing that Alibaba's infrastructure — both its employee base and its cloud hosting — appears across multiple concurrent Chinese cyber operations targeting AI-adjacent surfaces. The observations are documented. The correlation is in our index.

Who is behind it

Malwarebytes did not formally attribute the campaign. PlugX source code leaked years ago, which broadens the operator pool. However, the DLL sideloading technique using a G DATA security updater was documented by Lab52 in February 2026 specifically in the context of Mustang Panda / TA416 operations. Mustang Panda is the most prolific PlugX operator since 2012 and is running a parallel PlugX campaign against European diplomatic targets this same month.

Likely operator: Mustang Panda / TA416 (also tracked as Earth Preta, RedDelta, BRONZE PRESIDENT, Twill Typhoon). Confidence approximately 70%. State-nexus espionage, not financially motivated.

What we indexed

Five IOCs are now in our STIX feed, searchable at analytics.dugganusa.com:

The ZIP archive hash (SHA-256): 35FEEF0E6806C14F4CCDB4FCEFF8A5757956C50FB5EC9644DEDAE665304F9F96

The PlugX loader DLL hash: d5590802bf0926ac30d8e31c0911439c35aead82bf17771cfd1f9a785a7bf143

The encrypted payload hash: 8ac88aeecd19d842729f000c6ab732261cb11dd15cdcbb2dd137dc768b2f12bc

The legitimate-but-abused G DATA loader hash: be153ac4db95db7520049a4c1e5182be07d27d2c11088a2d768e931b9a981c7f

The C2 IP: 8.217.190.58 (Alibaba Cloud, port 443)

All five are in our STIX feed as of this morning. All 275+ consumers in 46 countries received them automatically.

What to tell your users

The only legitimate place to download Claude is claude.ai or claude.com. Anthropic does not distribute a "Pro" installer via third-party websites. If you downloaded Claude from anywhere other than those two domains, check your Windows Startup folder for NOVUpdate.exe. If it is there and you did not install G DATA security software, you are compromised.

If you are a DugganUSA customer: our platform runs Claude server-side via API. You do not need to install Claude locally to use our services. The fake installer does not affect our infrastructure.

The pattern

Chinese state-nexus actors are targeting AI infrastructure and AI users specifically. The Spylandia investigation documented intelligence collection against a STIX feed. The fake Claude campaign distributes espionage malware to AI users. The UCloud Hong Kong probe mapped our API surface with spoofed mobile user agents. Three operations, one week, one country, one target category: the people and systems that build with and rely on AI.

The AI ecosystem is the new target surface. The trust people place in AI tools — the download, the install, the API key — is the vector. Same pattern as every other attack this week: trust is the vector.

— Patrick

Search for PlugX IOCs: analytics.dugganusa.com/api/v1/search?q=PlugX

Read the Spylandia investigation: dugganusa.com/post/one-ip-one-script-100-000-requests-who-is-polling-our-stix-feed-from-the-space-coast

STIX feed (free): analytics.dugganusa.com/api/v1/stix-feed

Register: analytics.dugganusa.com/stix/register

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.