Cybersecurity researchers at Kaspersky Threat Research and AI Technology Research have uncovered a sophisticated campaign that is using the hype around DeepSeek AI to distribute malware to unwitting users.
- The cybercriminals behind the campaign are using geofencing, compromised business accounts and coordinated bot networks.
- In their investigation, Kaspersky researchers revealed that cybercriminals established deceptive replicas of the official DeepSeek website, using domain names like “deepseek-pc-ai[.]com” and “deepseek-ai-soft[.]com.”
- Visitors lured to such sites were directed to download a fabricated DeepSeek client application, which then delivered malicious installers that eventually tried to gain full remote unauthorised access.
“Attackers exploited the current hype around generative AI technology, skillfully combining targeted geofencing, compromised business accounts and orchestrated bot amplification to reach a substantial audience while carefully evading cybersecurity defenses,” Vasily Kolesnikov, senior malware analyst at Kaspersky Threat Research said.
A distinctive feature of the campaign was its use of geofencing technology, where malicious websites examine each visitor’s IP address and dynamically alter content based on geographic location, enabling attackers to fine-tune their approach and reduce detection risks.
According to the analysis, the malicious campaign’s main distribution channel was the social media platform X. In one instance, the cybercriminals compromised the social media account of an Australian company to distribute the malicious links, and then deployed coordinated bot accounts to amplify them.
