Ethical Hacking News
A sophisticated phishing scheme has been uncovered that uses DLL sideloading and PlugX RAT to distribute malware. The fake Claude AI installer masquerades as a legitimate AI-powered chatbot, tricking users into downloading a malicious archive. This operation highlights the evolving tactics employed by attackers seeking to exploit the popularity of AI tools for nefarious purposes.
Pierluigi Paganini exposes a phishing scheme using AI tools to distribute a malicious PlugX remote access trojan (RAT). The scam exploits DLL sideloading to evade detection by traditional antivirus software. A fake website masquerading as the Anthropic Claude service is used to trick users into downloading a ZIP archive containing malicious code. The malware uses a three-part structure comprising a signed executable, a DLL, and an encrypted payload, all hallmarks of the PlugX malware family. The PlugX RAT has historically been linked to Chinese espionage operations but is now widely circulated among cybercrime communities. The malware exploits the popularity of AI tools to deceive users into installing it by presenting itself as a legitimate AI-powered service.
Pierluigi Paganini
April 14, 2026
In a chilling exposé of the darker side of artificial intelligence (AI), security researchers have uncovered a sophisticated phishing scheme that exploits the popularity of AI tools to distribute a malicious PlugX remote access trojan (RAT). This cunning scam leverages DLL sideloading, a technique notorious for its ability to evade detection by traditional antivirus software, to deliver a payload of malicious code to unsuspecting victims.
At the heart of this operation lies a fake website masquerading as the Anthropic Claude service, a legitimate AI-powered chatbot. This ruse is designed to trick users into downloading a ZIP archive purportedly containing a "pro version" installer for the ChatGPT-like service. However, upon closer inspection, researchers have found that this archive actually contains a malicious DLL (Dynamic Link Library) and an encrypted payload. The latter, once decrypted and executed, unleashes the PlugX RAT, granting attackers remote access to compromised systems.
The malware's propagation vector is ingenious, relying on DLL sideloading to bypass traditional security measures. By leveraging legitimate signed executable files from G DATA, a reputable antivirus provider, the attackers subvert the system's trust mechanism. This allows the malicious DLL to load into memory without arousing suspicion, thereby enabling the PlugX RAT to establish a foothold in the victim's system.
Sandbox analysis of the malware reveals a three-part structure comprising a signed executable, the aforementioned DLL, and an encrypted payload — all hallmarks of the PlugX malware family. This notorious RAT has historically been linked to Chinese espionage operations but has since gained widespread circulation among cybercrime communities.
In its current iteration, the malware exploits the surging popularity of AI tools to deceive users into installing it. By presenting itself as a legitimate AI-powered service, the attackers cleverly sidesteps traditional security defenses and lures unsuspecting victims into downloading the malicious archive.
To evade detection, the VBScript (Visual Basic Scripting) component of the malware deploys a self-deleting mechanism that removes both the script and a temporary batch file shortly after execution. This leaves only the sideloading files and active process behind, making it challenging for security researchers to detect the malware's presence.
The PlugX RAT is notorious for its ability to establish persistent access to compromised systems, granting attackers a high degree of control over infected machines. Its propagation vectors are often linked to Chinese espionage operations, although recent instances have highlighted the malware's widespread reuse among cybercrime groups worldwide.
In conclusion, this expose highlights the evolving tactics employed by malicious actors seeking to exploit the popularity of AI tools for nefarious purposes. As security professionals, it is essential to remain vigilant against such threats and stay informed about emerging techniques used by attackers to compromise systems.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini (SecurityAffairs – hacking, newsletter)
facebook
linkedin
twitter
Related Information:
https://www.ethicalhackingnews.com/articles/Fake-Claude-AI-Installer-Uncovered-A-Study-in-Malicious-Deception-through-DLL-Sideloading-and-PlugX-RAT-ehn.shtml
https://securityaffairs.com/190754/malware/fake-claude-ai-installer-abuses-dll-sideloading-to-deploy-plugx.html
https://www.securityweek.com/fake-claude-website-distributes-plugx-rat/
https://www.malwarebytes.com/blog/scams/2026/04/fake-claude-site-installs-malware-that-gives-attackers-access-to-your-computer
https://attack.mitre.org/software/S0013/
https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx
https://medium.com/@shreyash_tambe/dll-file-analysis-a-practical-guide-for-malware-analysts-9e0a8cf82d1d
https://cloudmersive.com/article/What-is-a-DLL-File-and-Why-is-it-Dangerous
Published: Tue Apr 14 03:28:16 2026 by llama3.2 3B Q4_K_M
