Stealers and backdoors are spreading under the guise of a DeepSeek client

March 6, 2025, 3:41 p.m.

Description

Cybercriminals are exploiting the popularity of DeepSeek, a powerful reasoning large language model, by creating fake websites that mimic the official DeepSeek chatbot site and distribute malicious code disguised as a client. Three main schemes were identified: a Python stealer targeting user data and credentials, a malicious script spreading through social media posts, and backdoors targeting Chinese users. The attacks use various methods to lure victims, including typosquatting and ad traffic. Users are advised to carefully check website addresses and be cautious of unverified links, especially for popular services. The malware distributed includes stealers, backdoors, and trojans, potentially leading to data theft and remote access to victims' computers.

Date

  • Created: March 6, 2025, 12:31 p.m.
  • Published: March 6, 2025, 12:31 p.m.
  • Modified: March 6, 2025, 3:41 p.m.

Indicators

  • 3e3e34d158db5a552483e76bb895b9d6e275b8c2c41058f87e0462e2b9a4b842
  • dpsk.dghjwd.cn
  • v3-grok.com
  • v3-deepseek.com
  • r1-deepseek.net
  • deepseek-pc-ai.com
  • deepseek-ai-soft.com
  • deep-seek.rest
  • deep-seek.bar

Attack Patterns

  • Farfli
  • T1059.006
  • T1132.001
  • T1218.011
  • T1074
  • T1059.001
  • T1547.001
  • T1056.001
  • T1555
  • T1071.001
  • T1070.004
  • T1005
  • T1055
  • T1204
  • T1140
  • T1041
  • T1566

Additional Informations

  • China