FOCUS MODE
EXTRACT IOC
MINDMAP
Threat Research

Trojans disguised as AI: Cybercriminals exploit DeepSeek’s popularity

SecureList
Trojans disguised as AI: Cybercriminals exploit DeepSeek’s popularity
In early 2025, the release of DeepSeek-R1, a powerful reasoning large language model, spurred interest and cybercriminal activity, resulting in the creation of multiple fake websites distributing malware disguised as the official DeepSeek client. These malicious scripts collect sensitive data from victims’ computers, posing a significant threat to individuals and organizations. Affected: DeepSeek, victims of phishing scams, users of online services, organizations with sensitive data.

Keypoints :

  • DeepSeek-R1 was released as an open-weight large language model in 2025.
  • Cybercriminals launched fake websites mimicking the official DeepSeek site to distribute malicious software.
  • Fake websites were hosted on various domains that included terms related to DeepSeek versions.
  • Malicious downloads are disguised as legitimate applications, leading to data theft.
  • Specific malware is designed to steal cookies, credentials, and other sensitive information.
  • Some fake websites use geofencing to mislead users from specific regions, offering different content.
  • Malware installation and execution often rely on social media posts to spread awareness.
  • Users are advised to verify website URLs to avoid malicious sites.
  • Certain attacks are specifically targeted at Chinese-speaking users.
  • Digital hygiene and advanced security solutions are recommended to mitigate risks.

MITRE Techniques :

  • T1195 – Supply Chain Compromise: Fake websites distributing malware under the guise of a reputable service.
  • T1070 – Indicator Removal on Host: Malware utilizing disguises, such as renaming legitimate files to avoid detection.
  • T1027 – Obfuscated Files or Information: Scripts and executables employing obfuscation to hide malicious features.
  • T1203 – Exploitation for Client Execution: Users tricked into executing a malicious installer downloaded from fake sites.
  • T1047 – Windows Management Instrumentation: Use of PowerShell for executing malicious commands remotely.

Indicator of Compromise :

  • [Domain] r1-deepseek[.]net
  • [Domain] v3-deepseek[.]com
  • [Domain] deepseek-pc-ai[.]com
  • [Domain] deepseek-ai-soft[.]com
  • [MD5] 4ef18b2748a8f499ed99e986b4087518155bdb53d0bf520e3ae9b47f35212f166d097e9ef389bbe62365a3ce3cbaf62d3e5c2097ffb0cb3a6901e731cdf7223be1ea1b600f218c265d09e7240b7ea8197cb0ca44516968735e40f4fac8c615ce7088986a8d8fa3ed3d3ddb1f5759ec5d

Full Story: https://securelist.com/backdoors-and-stealers-prey-on-deepseek-and-grok/115801/

Views: 43

Tags: EXPLOIT, BACKDOOR, WINDOWS, TROJAN, SOCIAL MEDIA, PHISHING, PAYLOAD, EMAIL