Threat actors are leveraging the popularity of DeepSeek through phishing campaigns aimed at stealing credentials and distributing malware. The campaigns utilize a fake domain to conduct ClickFix scams, leading to the installation of malicious software like Vidar Stealer. Affected: DeepSeek platform, Internet users, Organizations
Keypoints :
- Threat actors exploit DeepSeek’s brand in phishing campaigns.
- Phishing campaigns aim to steal user credentials and spread malware.
- A domain named deepseekcaptcha[.]top was found to spread Vidar Stealer malware.
- Fake captcha pages trick victims into executing malicious downloads.
- The malware is distributed via ClickFix phishing schemes.
- 1.exe is identified as the first stage downloader of Vidar Stealer.
- Malware retrieves information from social media profiles like Telegram and Steam for updates.
- Recommendations include user education, incident response, and implementing multi-factor authentication to mitigate phishing risks.
- A list of IOCs related to the phishing campaigns was provided, including malware hashes and malicious URLs.
MITRE Techniques :
- Phishing (T1566) – Threat actors use brand impersonation via fake domains and phishing emails.
- Malicious Link Creation (T1203) – Victims are misled into clicking links that lead to malware downloads.
- Command and Control (T1071) – Malware utilizes social media platforms for C2 functionality and updates.
- Exploit Public-Facing Application (T1190) – Attackers exploit vulnerabilities in user interaction with fake captcha pages to initiate malware downloads.
Indicator of Compromise :
- [Filename] 1.exe (sha256:cd7bd1c6b651a700f059bc89168d6950292d77fb3703da401fdc83acae911aae)
- [Filename] din.exe (sha256:3defc89a9190f7ba4474aaa8fb3f5a738a721dc1999ac6f71d438cdeadb20e7)
- [Filename] lem.exe (sha256:cedb81c4665ea6e96d6bce5b08546fa776d37f2ed10fee4eb65d216ba90bd839)
- [Filename] test.hta (sha256:a3a5303a15cf016427104042c4968b9483abbb062af46fc138d4401078f2fe84)
- [URL] hxxps://steamcommunity[.]com/profiles/76561199824159981
Full Story: https://www.cloudsek.com/blog/deepseek-clickfix-scam-exposed-protect-your-data-before-its-too-late