Business, Security

Interest in DeepSeek is fodder for cybercriminals

Brendyn Lotz

11th March 2025

With nothing more than a compromised X account, a malware campaign reached millions of users.
The campaign directed users to download a DeepSeek application.
What users got however was a malicious app that took control of their system.

The interest in artificial intelligence from the general public continues to be a way to lure those users into access malicious websites and downloading malware.

Cybercriminals have long leveraged trends in a bid to get folks to download or access dangerous tools and websites. With the popularity of AI and folks hungry for free tools that can write them emails or draw up images for party invitations, cybercriminals are having a field day. All an attacker has to do is claim to be offering a free piece of AI software and then bundle their malware with the download.

In some instances, there isn’t even an AI app in the download.

To that end, Kaspersky has detected a campaign in which attackers are claiming to be offering a DeepSeek powered application to unwitting users. Instead of the AI client, victims are met with a malicious payload that gives an attacker full control of the system via a command and control server.

The threat campaign has gained traction thanks to a compromised account on X. Kaspersky reports that the social media account of a legitimate company in Australia was compromised giving the attackers a cover to use while propping up their malware. With just one post, the attackers attracted 1.2 million impressions and garnered hundreds of reposts on X. This likely lead to many folks unknowingly downloading an app that’s sole purpose was to compromise their security.

“This campaign demonstrates notable sophistication beyond typical social engineering attacks,” explains senior malware analyst at Kaspersky Threat Research. “Attackers exploited the current hype around generative AI technology, skillfully combining targeted geofencing, compromised business accounts and orchestrated bot amplification to reach a substantial audience while carefully evading cybersecurity defense.”

The attackers directed X users to a replica of the DeepSeek website using URLs that were clearly designed to fool users into thinking they were visiting a legitimate website. Kaspersky notes that these websites used geofencing to tailor content for the user based on where they were connecting from. This allows the attackers to reach more people in more parts of the world without having to spin up multiple versions of the same website. This reduces the risk of being detected.

“Fraudulent AI websites often use domain names that closely resemble legitimate services but contain subtle differences. Before downloading any AI software, verify that the website URL exactly matches the official domain with no additional words, hyphens or spelling variations,” advises Kaspersky.

We find it best to simply use the AI applications that are hosted online for most tasks. That removes the risk of downloading a potentially malicious application altogether.

However, there is still a risk of using a malicious website so as Kaspersky mentions, be sure to check URLs and other information before keying in your email and recycling the password you use for everything, even internet banking.

About Author

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.