Startup Lagos

10-Apr-2025

Fresh News

Kaspersky Investigates: Cybercriminals Exploit DeepSeek AI for Malicious Campaigns 2 months ago

Kaspersky researchers have uncovered a sophisticated cyber deception campaign where hackers exploited the rising popularity of DeepSeek AI—an emerging generative AI chatbot—to distribute malware disguised as legitimate software. This campaign has generated over 1.2 million views on the social media platform X, highlighting the extensive reach of these malicious activities.

The investigation, conducted by Kaspersky's Threat Research and AI Technology Research teams, revealed that cybercriminals created deceptive replicas of the official DeepSeek website using domain names such as "deepseek-pc-ai[.]com" and "deepseek-ai-soft[.]com." A notable tactic employed in this campaign was geofencing technology, which allowed malicious websites to assess visitors' IP addresses and dynamically adjust content based on their geographic location. This approach enabled attackers to tailor their strategies and minimize detection.

"This campaign showcases a level of sophistication that surpasses typical social engineering attacks," stated Vasily Kolesnikov, senior malware analyst at Kaspersky Threat Research. "Attackers capitalized on the current excitement surrounding generative AI technology, skillfully combining targeted geofencing, compromised business accounts, and coordinated bot networks to reach a wide audience while evading cybersecurity measures."

The primary distribution method for this campaign was through the social media platform X. Cybercriminals compromised the account of a legitimate Australian company to disseminate fraudulent links widely. A single malicious post garnered significant attention, achieving approximately 1.2 million impressions and hundreds of reposts, primarily from coordinated bot accounts with similar naming conventions and profile characteristics, indicating a deliberate effort to amplify the malicious content.

Visitors lured to these fraudulent websites were directed to download a counterfeit DeepSeek client application. Instead of the genuine software, these sites delivered malicious installers via the Inno Setup installation platform. Once executed, these compromised installers attempted to connect to remote command-and-control servers to retrieve Base64-encoded PowerShell scripts. These scripts activated Windows' built-in SSH service, reconfigured it with attacker-controlled keys, and enabled unauthorized remote access to compromised systems.

All malware associated with this campaign is proactively identified and blocked by Kaspersky security products, including variants of Trojan-Downloader.Win32.TookPS.*.

To enhance security, Kaspersky recommends the following precautions:

• Meticulously check URLs: Fraudulent AI websites often use domain names that closely resemble legitimate services but contain subtle differences. Before downloading any AI software, verify that the website URL matches the official domain exactly, without additional words, hyphens, or spelling variations.

• Utilize comprehensive security protection: Implement a robust security solution like Kaspersky Premium on all devices to detect and block malicious installers and websites before they can compromise your system.

• Keep software updated: Many security vulnerabilities exploited by malware can be mitigated by installing the latest versions of your operating system and applications, particularly security software.

By staying vigilant and following these guidelines, users can better protect themselves from the evolving landscape of cyber threats.

Play audio

Share:

Comments

No comments

Add your comment

Search Blog

Categories

Recent Posts

Related Post

Solutions

Stay Connected