Kaspersky’s security researchers have uncovered a sophisticated cybercriminal campaign that exploited the growing interest in DeepSeek AI, a popular generative AI chatbot, to distribute malware through fraudulent websites.
The campaign used geofencing, compromised business accounts and coordinated bot networks to evade detection and amplify its reach, generating over 1.2 million views on the social media platform X.
The investigation revealed that cybercriminals created deceptive replicas of the official DeepSeek website, using domain names such as “deepseek-pc-ai[.]com” and “deepseek-ai-soft[.]com.”
A key aspect of this operation was the use of geofencing, which enabled attackers to tailor the website’s content based on the visitor’s geographic location.
This approach helped them refine their tactics while reducing the likelihood of detection.
“This campaign demonstrates notable sophistication beyond typical social engineering attacks,”
explained Vasily Kolesnikov, senior malware analyst at Kaspersky Threat Research.
“Attackers exploited the current hype around generative AI technology, skillfully combining targeted geofencing, compromised business accounts and orchestrated bot amplification to reach a substantial audience while carefully evading cybersecurity defenses.”
Kaspersky’s analysis found that the campaign’s primary distribution method was social media, particularly X.
Attackers compromised the account of a legitimate Australian company to spread fraudulent links, which resulted in a single malicious post reaching approximately 1.2 million impressions and being widely shared.
Many of these reposts were traced to coordinated bot accounts, identified through similar naming conventions and profile characteristics, suggesting a deliberate effort to amplify the campaign’s reach.
Users who accessed the fraudulent websites were prompted to download a fake DeepSeek client application.
Instead of the legitimate software, the sites delivered malicious installers using the Inno Setup installation platform.
Once executed, these installers attempted to contact remote command-and-control servers, retrieving Base64-encoded PowerShell scripts.
These scripts then activated Windows’ built-in SSH service, reconfigured it with attacker-controlled keys and enabled full remote unauthorised access to the compromised systems.
All malware payloads linked to this campaign are “proactively identified and blocked by Kaspersky security products such as Trojan-Downloader.Win32.TookPS.* variants.”
To mitigate risks, Kaspersky advises users to verify URLs carefully before downloading AI software, ensuring that the domain matches the official website without alterations.
“Fraudulent AI websites often use domain names that closely resemble legitimate services but contain subtle differences.”
Additionally, deploying comprehensive security solutions, such as Kaspersky Premium, can help detect and block malicious websites and installers. Keeping all software updated is also essential, as
“many security vulnerabilities exploited by malware can be addressed by installing the latest versions of your operating system and applications, particularly security software.”
Featured image credit: edited from freepik
