Kaspersky Uncovers Cyberattack Exploiting DeepSeek AI Hype
Cybersecurity firm Kaspersky has uncovered a sophisticated cyber deception campaign leveraging public interest in DeepSeek AI, a popular generative AI chatbot, to distribute malware through fraudulent websites.
According to Kaspersky’s Threat Research and AI Technology Research teams, cybercriminals created fake replicas of DeepSeek AI’s official website, using deceptive domain names such as “deepseek-pc-ai[.]com” and “deepseek-ai-soft[.]com” to lure victims. A key tactic in this campaign was the use of geofencing technology, which allowed the attackers to modify website content based on a visitor’s location—enhancing their ability to evade detection.
“This campaign is more advanced than typical social engineering attacks,” said Vasily Kolesnikov, Senior Malware Analyst at Kaspersky. “The attackers capitalized on the current AI boom, integrating targeted geofencing, compromised business accounts, and bot-driven amplification to spread malware while avoiding cybersecurity defenses.”
Social Media as a Launchpad
The primary distribution method for this malware campaign was X (formerly Twitter). Attackers hijacked the social media account of an Australian company, using it to share malicious links. The fraudulent post reached 1.2 million impressions and received hundreds of reposts, many of which came from bot accounts – suggesting a coordinated effort to amplify the attack.
How the Malware Works
Users who accessed the fake DeepSeek AI websites were prompted to download a counterfeit DeepSeek client application. Instead of the legitimate software, they unknowingly installed malicious programs disguised as installers. These malware-laden files:
- Contacted remote command-and-control servers
- Downloaded Base64-encoded PowerShell scripts
- Activated Windows’ built-in SSH service
- Reconfigured SSH with attacker-controlled keys to enable full remote access
Kaspersky’s Response
Kaspersky confirmed that its security solutions have proactively detected and blocked all malware linked to the attack, preventing further infections.
The company urges users to verify website authenticity, avoid downloading AI tools from unofficial sources, and enable robust cybersecurity measures to protect against evolving cyber threats.
