Originally published on satyamrastogi.com

Analysis of PlugX RAT distribution through counterfeit Claude website. Exploitation chain combines DLL sideloading with supply chain targeting. Attack methodology, detection evasion, and hardening strategies for development environments.

---

PlugX RAT via Fake Claude: DLL Sideloading Supply Chain Attack

Executive Summary

Attackers deployed PlugX remote access trojan through a counterfeit Anthropic Claude website, leveraging DLL sideloading to bypass application whitelisting and execute arbitrary code. The campaign targets developers and security professionals seeking legitimate AI tools, exploiting trust in open-source and productivity software distribution channels.

This attack demonstrates a critical pattern: as defensive security increases around traditional malware delivery mechanisms, adversaries shift to high-trust targets (developers, researchers, security engineers) who paradoxically operate with lower scrutiny on their workstations. The use of DLL sideloading coupled with application spoofing creates a detection and response window measured in hours, not days.

Key indicators: legitimate-appearing installer, side-by-side DLL placement, registry-free code execution, memory-resident C2 callbacks, and anti-forensic cleanup routines.

Attack Vector Analysis

This campaign combines multiple MITRE ATT&CK techniques to establish persistent remote access while evading detection across layered defenses:

Initial Access: T1566.002 - Phishing: Spearphishing Link
Attackers registered domains mimicking Anthropic's infrastructure (e.g., claude-install[.]ai, anthropic-tools[.]io). SEO poisoning and targeted LinkedIn outreach directed victims to fake landing pages hosting the malicious installer. Social engineering copy referenced legitimate Claude features and recent updates, creating temporal urgency. Attackers likely monitored Anthropic's public announcements and release schedules to time distribution campaigns.

Execution: T1559.001 - Inter-Process Communication: Component Object Model
T1036.003 - Masquerading: Rename System Utilities**
The installer executable (typically named claude-installer.exe, claude-setup.exe) performs DLL sideloading by loading a legitimately-signed system DLL (commonly mscoree.dll, version.dll, or msvcp140.dll) from the application directory. The malicious DLL mirrors legitimate function exports while injecting PlugX initialization code. This technique exploits T1574.001 - Hijacking Execution Flow: DLL Search Order Hijacking by placing the malicious library in the working directory where Windows locates it before system32.

Code execution flow:

1. claude-installer.exe launches
2. Loads benign-looking installer UI (legitimate code copied from Claude setup)
3. During installation, creates side-by-side DLL in %TEMP% or %APPDATA%
4. Installer loads legitimate system DLL from local path
5. Malicious DLL export forwarding executes PlugX dropper
6. C2 beacon established before "Setup Complete" dialog
7. Installer finishes normally; victim sees Claude ready to use

Persistence: T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys
PlugX establishes persistence through registry modifications (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) with entries disguised as Windows service names. The malware uses run-key entries naming conventions that blend into legitimate startup processes (e.g., "MicrosoftEdgeUpdate", "AdobeResourceSynchronizer"). Some variants create scheduled tasks under the guise of Windows Defender updates or cloud sync services.

Defense Evasion: T1036.005 - Masquerading: Match Legitimate Name or Location
T1562.001 - Impair Defenses: Disable or Modify Tools**
The malware employs several anti-forensic techniques:

• Temporary file cleanup immediately after execution
• Registry artifact deletion after establishing persistence
• Disabling Windows Defender real-time protection (attempted)
• Clearing recent document history and Windows prefetch entries
• Removing event log entries containing PlugX file handles or process creation data

This cleanup strategy is critical to operational success. Unlike commodity malware that leaves forensic breadcrumbs, PlugX targets appear designed for dwell time and lateral movement. By removing installer artifacts within minutes, the attack reduces SOC mean-time-to-detect (MTTD) to window where developer workstation activity is highest and anomalies blend into normal behavior.

Technical Deep Dive

DLL Sideloading Mechanics

The attack exploits a fundamental Windows behavior: the OS searches for DLL dependencies in the current working directory before system directories. When claude-installer.exe (signed, legitimate-appearing executable) runs, it triggers legitimate DependencyWalker calls for runtime libraries.

Wildcard example showing the exploitation:

// Legitimate call within installer
LoadLibrary("msvcp140.dll");

// Windows searches:
// 1. InstallDirectory\msvcp140.dll [ATTACKER-CONTROLLED]
// 2. System32\msvcp140.dll [Legitimate, never reached]

Malicious DLL structure mirrors the legitimate export table:

// Malicious msvcp140.dll
#pragma comment(linker, "/export:?_Xlenpos@?$basic_string@DU?$char_traits@D@std@@?$allocator@D@2@@std@@QEBAHXZ=_Xlenpos_forwarded")

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
 if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
 // Execute PlugX initialization
 PlugXDropper();
 // Forward legitimate exports to real msvcp140
 ForwardExports();
 }
 return TRUE;
}

The forwarding mechanism ensures the legitimate application continues functioning, preventing immediate user-observed failures that would trigger incident response.

PlugX Command & Control

PlugX is a well-documented remote access trojan with capabilities including:

• File transfer and execution
• Process and registry manipulation
• Reverse shell access
• Credential harvesting from browser and mail clients
• Screenshot and keylogging
• Proxy functionality for lateral movement

Recent variants use encrypted command channels over HTTPS or DNS tunneling, making network detection difficult without TLS interception or DNS logging. C2 servers are typically hosted on compromised infrastructure or fast-flux networks, rotating every 12-48 hours.

Detection Strategies

Host-Based Indicators

1. Process Execution Chain Analysis

   • Monitor for unsigned installers loading system DLLs from non-standard locations
   • Correlate process creation with DLL LoadLibrary calls via ETW (Event Tracing for Windows)
   • Alert on parent-child process relationships where temporary directories execute code

2. File System Monitoring

   • Track unsigned executables in %TEMP% launching legitimate system DLLs
   • Flag DLL files in user-writable directories matching export tables of system libraries
   • Monitor %APPDATA% for sideloaded DLL creation within seconds of installer execution

3. Registry Artifacts

   • Query HKCU\Software\Microsoft\Windows\CurrentVersion\Run for recently-added entries
   • Cross-reference run-key values against legitimate Windows services (Microsoft-published list)
   • Detect rapid registry cleanup patterns (write + delete within <5 minutes)

Network-Based Indicators

• DNS requests to claude-.io, anthropic-.ai, or similar typosquatting domains
• HTTPS C2 traffic with PlugX-associated certificate fingerprints or JA3 signatures
• DNS over HTTPS (DoH) queries to suspicious destinations (indicates evasion of DNS filtering)
• Outbound connections from developer workstations to non-standard ports (>10000) during business hours

EDR/XDR Detections

Advanced endpoint detection should focus on behavioral chains rather than static indicators:

ALERT: Unsigned installer + DLL sideloading + registry persistence setup
SEVERITY: Critical
WINDOW: 60 seconds

Detection: 
1. Process creates child process in temp directory
2. Child process loads DLL from same directory
3. DLL is signed by different publisher than parent
4. Registry run-key modification within 30 seconds

Mitigation & Hardening

Immediate Actions (24 hours)

1. Threat Hunt on Developer Workstations

   • Query for instances of claude-installer, claude-setup, or variant names
   • Search file system for unsigned DLLs in user directories
   • Review installation logs and confirm source legitimacy

2. DNS Blocking

   • Block claude-.io, anthropic-.ai, and known typosquatting variants at DNS layer
   • Query DNS logs for any internal resolution attempts (indicate potential lateral movement)

3. Credential Rotation

   • Force password reset for any users who executed the installer
   • Rotate SSH keys on affected developer machines
   • Review cloud API token access logs for anomalies

Medium-Term Hardening (1-4 weeks)

1. Application Whitelisting

   • Deploy Windows Defender Application Control (WDAC) or AppLocker on developer machines
   • Whitelist only approved installers by publisher certificate
   • Monitor for bypass attempts (kernel-mode exploitation of whitelisting services)

2. DLL Loading Restrictions

   • Implement CWE-426: Untrusted Search Path mitigations
   • Use SetDefaultDllDirectories() to restrict DLL search paths
   • Enforce secure DLL search order via registry: HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode (enable)

3. Software Supply Chain Verification

   • Establish SBOMs (Software Bill of Materials) for all development tools
   • Verify cryptographic signatures on all installers before execution
   • Use SLSA framework principles for software provenance verification

4. Developer Workstation Hardening

   • Require MFA for all developer environments
   • Implement device compliance policies (require antivirus, firewall, disk encryption)
   • Restrict outbound HTTPS to whitelisted domains
   • Enable Credential Guard on Windows Pro/Enterprise builds

Detection Tuning (Ongoing)

1. Behavioral Analytics

   • Train models on "normal" developer workstation behavior
   • Alert on anomalies: unusual process chains, unexpected network destinations, registry patterns
   • Use MITRE ATT&CK Navigator to map detection coverage against PlugX TTPs

2. Threat Intelligence Integration

   • Subscribe to PlugX C2 IP/domain feeds from threat intel providers
   • Correlate internal DNS/proxy logs against known malicious infrastructure
   • Monitor for typosquatting domain registration patterns

Key Takeaways

• DLL Sideloading Remains Effective: Despite 15+ years of documented exploitation, DLL search order hijacking bypasses modern defenses by leveraging legitimate application trust. Application whitelisting alone is insufficient; implement secure DLL loading policies at the OS level.

• Developer Workstations = High-Value Targets: Security professionals and developers represent asymmetric value targets. They have elevated privileges, access to sensitive repositories, and often operate with lower scrutiny due to frequent legitimate tool installation. Hardening this population yields disproportionate detection/prevention gains.

• Supply Chain Spoofing Will Escalate: This attack demonstrates why LLM Subscription Tier Economics: Attack Surface Expansion in AI-as-a-Service creates operational risk. As AI tools proliferate in enterprise, social engineering attacks will increasingly target legitimate-seeming installers. Verify all software sources through direct vendor links, not search results.

• Anti-Forensic Cleanup is Signature: Rapid file and registry cleanup is a detection vector. Normal installers leave artifacts for support/troubleshooting. Malware cleanup patterns can trigger behavioral alerts even if initial execution evades detection.

• Lateral Movement Risk Dominates: PlugX on a developer workstation creates runway for lateral movement to version control systems, CI/CD infrastructure, and production environments. Threat hunting should focus on forward lateral movement indicators (git operations, credential access, persistence mechanisms on connected systems).

Related Articles

Smart Slider 3 Pro Backdoor: Plugin Update Supply Chain Compromise - Similar DLL injection patterns in legitimate software update mechanisms

CPUID Supply Chain: API Hijacking & Malware Distribution - Developer-targeted supply chain compromise with credential harvesting

Credential-Based Attacks: Detection Evasion & Business-As-Usual Breaches - Post-compromise movement patterns following successful malware deployment