{"id":60971,"date":"2026-07-01T17:00:00","date_gmt":"2026-07-01T17:00:00","guid":{"rendered":"https:\/\/www.theregister.com\/a\/5264692"},"modified":"2026-07-01T17:00:00","modified_gmt":"2026-07-01T17:00:00","slug":"red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/","title":{"rendered":"Red teamers turned Claude Desktop into a double agent to do their evil bidding"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/image.theregister.com\/5248788.jpg?imageId=5248788&amp;x=0&amp;y=0&amp;cropw=100&amp;croph=100&amp;panox=0&amp;panoy=0&amp;panow=100&amp;panoh=100&amp;width=1200&amp;height=683\" class=\"ff-og-image-inserted\"><\/div>\n<p><span class=\"font-weight-bold m-font-weight-bold tertiary color_mobile_tertiary\" data-lab-font_weight=\"font-weight-bold\" data-lab-text_color=\"tertiary\">EXCLUSIVE<\/span> Pentera Labs\u2019 red teamers compromised a developer\u2019s AI agent via his Claude Desktop app and ultimately turned that access into full remote code execution on the dev\u2019s machine \u2013 demonstrating how an attacker could turn a trusted, chatty AI assistant into a double agent operating on their behalf.<\/p>\n<p>\u201cClaude\u2019s got a new voice,\u201d Pentera&#8217;s offensive security services team leader Dvir Avraham told <span class=\"italic m-italic \" data-lab-italic=\"italic\">The Register<\/span>.&nbsp;<\/p>\n<p>\u201cWe acknowledge the huge trust in AI models&nbsp;\u2013 everybody uses them,\u201d he said in a phone interview. \u201cWe used this trust to manipulate the victim, like under the hood, the victim didn&#8217;t see it coming.\u201d<\/p>\n<p>It also prompted Avraham to check his own platforms. \u201cI became a little bit paranoid,\u201d he told us. \u201cI&#8217;m not allowing any command to run without me examining it twice.\u201d<\/p>\n<p>In a report set to publish Wednesday, and shared in advance exclusively with <span class=\"italic m-italic \" data-lab-italic=\"italic\">The Register,<\/span> Avraham and research technical lead Reef Spektor detailed the attack and what it means for organizations using agentic AI tools with local code-execution access.<\/p>\n<p>It began with a red-team assignment on a third-party platform that aggregates customer email inboxes into a single management interface. Avraham and Spektor won\u2019t name the platform, or tell us exactly how they gained access to it. They used this compromised inbox&nbsp;\u2013 and told us any compromised inbox would work&nbsp;\u2013 to get into the victim\u2019s Claude account.<\/p>\n<p>As the duo noted, breaking into an email inbox in real life&nbsp;\u2013 via a <a href=\"https:\/\/www.theregister.com\/security\/2026\/06\/09\/france-probes-compromise-of-gov-messaging-platform-after-account-hijack\/5252717\">third-party management platform<\/a>, <a href=\"https:\/\/www.theregister.com\/security\/2026\/06\/22\/gizmodo-readers-hit-with-clickfix-malware-prompts-after-account-compromise\/5259226\">phishing link<\/a>, <a href=\"https:\/\/www.theregister.com\/special-features\/2026\/03\/23\/voice-phishing-skyrockets-as-smooth-crims-talk-their-way-in\/5223759\">social engineering password reset<\/a>, or even using AI agents \u2013 isn\u2019t too difficult. \u201cAI agents today have access to connectors and to direct MCPs into inboxes,\u201d Spektor added.<\/p>\n<div data-element-guid=\"afe083ca-6701-48e9-9bd8-f8827dd7fb42\" class=\"lab4 column articleList layout_vertical imageLayout_left small-12 large-12 small-abs-12 large-abs-12 abs_grid_12 grid-vas-start mobile-grid-vas-start\">\n<div class=\"content border_width_0 border_width_mobile_0 border-radius-48 border-radius-mobile_48\">\n<h2 class=\"article-list-title t19 font-RobotoCondensed\">MORE CONTEXT<\/h2>\n<\/p><\/div>\n<\/div>\n<p>In addition to this prerequisite (compromised inbox), the attack chain also requires the victim to have <a href=\"https:\/\/www.theregister.com\/security\/2026\/04\/20\/claude-desktop-changes-software-permissions-without-consent\/5219674\">Claude Desktop<\/a> installed. Anthropic\u2019s desktop app works across macOS, Windows, and Linux systems. It provides the same AI chat for conversations as claude.ai, and it also syncs across all devices and sessions tied to the user\u2019s account.&nbsp;<\/p>\n<p>\u201cWe asked ourselves, can we leverage the sync behavior to infect other sessions and devices? (hint: yes!),\u201d the red teamers wrote in the Wednesday report.<\/p>\n<h3>Back to the AI Stone Age<\/h3>\n<p>As of January, the desktop app also includes Cowork for longer agentic tasks, and Code for software development. So, for example, a user can send Claude a task from their phone and instruct it to work on their computer. As Anthropic <a href=\"https:\/\/claude.com\/product\/cowork\" rel=\"nofollow\">says<\/a>: \u201cAnything you can do on your computer, Claude can do. Open apps, fill spreadsheets, navigate your browser. No setup, no passwords handed off.\u201d<\/p>\n<p>The Cowork feature now makes Pentera Labs\u2019 attack scenario even easier.<\/p>\n<p>However, when the security analysts were doing this research in November 2025, \u201cback in the Stone Age in terms of AI, you didn&#8217;t have Cowork or Claude Code, so we needed a way to actually execute commands because we wanted to take over the machine,\u201d Avraham said.<\/p>\n<p>For this part, they took a keen interest in Claude Desktop\u2019s <a href=\"https:\/\/support.claude.com\/en\/articles\/10185728-understanding-claude-s-personalization-features\" rel=\"nofollow\">personalization features<\/a>. These are account-wide settings that tell the AI agent the user\u2019s preferred approach and general communication instructions, along with more specific project instructions, such as guidelines for a particular workflow, or defined roles Claude should adopt within a project.<\/p>\n<p>The red teamers developed a base64-encoded prompt that instructed Claude to check for command-capable tools on the developer\u2019s machine and execute the command if available, or produce a fake error message if not, prompting the user to download a tool that will execute the attacker\u2019s commands.&nbsp;Then they pasted the prompt into the victim\u2019s personal preferences on Claude, and this prompt syncs across all of the user\u2019s devices. This ensures that the next time the user opens Claude Desktop and types in a chat, the poisoned instructions are loaded into their preferences and will silently run behind the scenes.<\/p>\n<div data-element-guid=\"f23d73ec-c151-4bc7-b3c1-26d9cbd63c6c\" class=\"quotebox column size-small desktop-floatLeft mobile-floatLeft small-12 large-4 small-abs-12 large-abs-4\">\n<div class=\"content\">\n<h3 class=\"quote\"> We acknowledge the huge trust in AI models &#8211; everybody uses them. We used this trust to manipulate the victim, like under the hood, the victim didn&#8217;t see it coming. <\/h3>\n<\/p><\/div>\n<\/div>\n<p>The user thinks they are simply interacting with Claude as usual. They don\u2019t see Claude checking to see what extensions and tools are installed.&nbsp;<\/p>\n<p>If the user already has <a href=\"https:\/\/github.com\/wonderwhy-er\/DesktopCommanderMCP\" rel=\"nofollow\">Desktop Commander<\/a> or a similar MCP connector or extension installed, the poisoned instructions tell Claude to use it. This allows the attacker, via Claude, to execute a stealthy reverse shell or other malicious code. \u201cAnd from there it&#8217;s full compromise of the machine,\u201d Avraham said.<\/p>\n<h3>Phishing &#8211; but without the email<\/h3>\n<p>However, if there aren\u2019t any command-capable tools installed, then Claude becomes what the researchers describe as a \u201cphishing layer.\u201d (They also noted that if they had performed this research more recently, not back in November, the Claude Cowork feature would have eliminated this entire tool enumeration and phishing phase because Cowork can execute commands on a user\u2019s behalf.)<\/p>\n<p>The injected prompt instructs Claude to present a realistic-looking error as soon as the victim asks the chatbot a question. This includes a realistic error code, a link that purports to be a fix, and step-by-step instructions.&nbsp;<\/p>\n<p>\u201cThis message tells the victim: \u2018please download this,\u2019 and we took links from the actual Anthropic site, with known emojis that the AI loves,\u201d Avraham said.&nbsp;<\/p>\n<p>Because the error message looks real and people usually trust their AI assistant, they will likely click on the link and execute the attacker-controlled command.<\/p>\n<p>\u201cFrom here, the attacker has full command execution&nbsp;\u2013 reverse shells, data exfiltration, credential harvesting, whatever the objective calls for,\u201d the duo wrote. \u201cIn our case, we had Claude curl a remote server we controlled on every interaction, fetching and executing whatever bash commands we served back. We could rotate those commands server side at will, effectively turning Claude into a persistent, stealthy C2 agent that the victim themselves kept feeding.\u201d<\/p>\n<p>In this specific case, the target was a developer who had credentials and access to several internal systems. After compromising the dev\u2019s workstation&nbsp;\u2013 which gave the red teamers a foothold into the organization \u2013 they moved laterally across the company using various attack vectors that they declined to tell us about, citing customer privacy and proprietary methods.&nbsp;<\/p>\n<p>But, Spektor added, <a href=\"https:\/\/www.theregister.com\/security\/2026\/02\/25\/nextjs-jobseekers-targeted-with-malicious-interview-repos\/5192390\">developers<\/a> make for an \u201cexcellent starting point for an attacker,\u201d because of their <a href=\"https:\/\/www.theregister.com\/security\/2026\/06\/26\/miasma-campaign-poisons-20-plus-npm-packages-hunts-for-developer-secrets\/5262886\">access to secrets<\/a> including <a href=\"https:\/\/www.theregister.com\/security\/2026\/04\/28\/ongoing-supply-chain-attack-targets-security-dev-tools\/5226665\">API keys, tokens, and cloud credentials<\/a>, which allows intruders to <a href=\"https:\/\/www.theregister.com\/security\/2026\/05\/15\/openai-caught-in-tanstack-npm-supply-chain-chaos-after-employee-devices-compromised\/5241019\">move from a single workstation<\/a> into the larger organization\u2019s cloud environment. From there, they\u2019ve got free rein to <a href=\"https:\/\/www.theregister.com\/security\/2026\/04\/02\/mercor-says-it-was-one-of-thousands-hit-in-litellm-attack\/5222276\">steal source code<\/a> and other sensitive data, or <a href=\"https:\/\/www.theregister.com\/cyber-crime\/2026\/06\/26\/amazon-q-flaw-let-booby-trapped-git-repos-execute-code-swipe-cloud-creds\/5263202\">poison internal git repositories<\/a>, and cause all sorts of pain for enterprises as we&#8217;ve seen play out multiple times across several recent attacks.<\/p>\n<h3>Feature, not a bug<\/h3>\n<p>The team reported their findings to Anthropic back in November, and the AI company essentially said it\u2019s Claude Desktop <a href=\"https:\/\/www.theregister.com\/security\/2026\/04\/19\/ai-vendors-response-to-security-flaws-it-wasnt-me\/5228722\">working as intended<\/a>&nbsp;\u2013 a feature, not a bug.<\/p>\n<p>\u201cAfter reviewing your submission, we&#8217;ve determined this doesn&#8217;t represent a security vulnerability that falls within our program scope,\u201d Anthropic said. \u201cOur current threat model treats personal preferences, skills, and MCP connectors as features that can execute code through Claude Desktop by design. While we recognize these features can be leveraged to execute arbitrary code when manipulated, this represents expected functionality rather than a security vulnerability in our infrastructure.\u201d<\/p>\n<p><span class=\"italic m-italic \" data-lab-italic=\"italic\">The Register<\/span> reached out to Anthropic for comment and did not receive any response.<\/p>\n<p>The red teamers, however, have some suggestions to keep your organization safer from rogue AI agents.<\/p>\n<p>First, for anyone using agents or chatbots: pay close attention to what the AI can do on your machine, and don\u2019t blindly follow install prompts or error messages. \u201cIf you can, run it on a sandbox and not on your personal computer,\u201d Spektor said.&nbsp;<\/p>\n<p>Security teams should treat AI desktop apps as \u201cprivileged software\u201d as they can execute code, read files, and interact with local tools. \u201cMonitor for changes of AI assistant configurations and synced settings,\u201d the researchers wrote. \u201cRestrict which extensions and tools can be installed alongside AI apps.\u201d<\/p>\n<p>And finally, red teams should add AI desktop apps to their assessment toolbox, Avraham and Spektor noted: \u201cThere&#8217;s a real attack surface here that most engagements don\u2019t cover yet.\u201d \u00ae<\/p>\n<p> <img decoding=\"async\" src=\"https:\/\/image.theregister.com\/?imageId=5248788&#038;width=800\">READ MORE <a href=\"https:\/\/www.theregister.com\/security\/2026\/07\/01\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/5264692\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> People trust their AI assistants and it&#8217;s easy to abuse this trust READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":60972,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[307],"class_list":["post-60971","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-register","tag-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Red teamers turned Claude Desktop into a double agent to do their evil bidding 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Red teamers turned Claude Desktop into a double agent to do their evil bidding 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-01T17:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/image.theregister.com\/5248788.jpg?imageId=5248788&amp;x=0&amp;y=0&amp;cropw=100&amp;croph=100&amp;panox=0&amp;panoy=0&amp;panow=100&amp;panoh=100&amp;width=1200&amp;height=683\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Red teamers turned Claude Desktop into a double agent to do their evil bidding\",\"datePublished\":\"2026-07-01T17:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\\\/\"},\"wordCount\":1406,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding.jpg\",\"keywords\":[\"Security\"],\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\\\/\",\"name\":\"Red teamers turned Claude Desktop into a double agent to do their evil bidding 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding.jpg\",\"datePublished\":\"2026-07-01T17:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding.jpg\",\"width\":100,\"height\":66},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Red teamers turned Claude Desktop into a double agent to do their evil bidding\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Red teamers turned Claude Desktop into a double agent to do their evil bidding 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/","og_locale":"en_US","og_type":"article","og_title":"Red teamers turned Claude Desktop into a double agent to do their evil bidding 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-07-01T17:00:00+00:00","og_image":[{"url":"https:\/\/image.theregister.com\/5248788.jpg?imageId=5248788&amp;x=0&amp;y=0&amp;cropw=100&amp;croph=100&amp;panox=0&amp;panoy=0&amp;panow=100&amp;panoh=100&amp;width=1200&amp;height=683","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Red teamers turned Claude Desktop into a double agent to do their evil bidding","datePublished":"2026-07-01T17:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/"},"wordCount":1406,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/07\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding.jpg","keywords":["Security"],"articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/","url":"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/","name":"Red teamers turned Claude Desktop into a double agent to do their evil bidding 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/07\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding.jpg","datePublished":"2026-07-01T17:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/07\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/07\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding.jpg","width":100,"height":66},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/red-teamers-turned-claude-desktop-into-a-double-agent-to-do-their-evil-bidding\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/www.threatshub.org\/blog\/tag\/security\/"},{"@type":"ListItem","position":3,"name":"Red teamers turned Claude Desktop into a double agent to do their evil bidding"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60971","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60971"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60971\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/60972"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60971"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60971"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60971"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}