Cybercriminals Exploit DeepSeek AI Hype with Geofencing and Bot Networks to Spread Malware, Reveals Kaspersky

Security researchers at Kaspersky (www.Kaspersky.co.in/) have uncovered a sophisticated cybercriminal campaign leveraging geofencing, compromised business accounts, and coordinated bot networks to distribute malware disguised as DeepSeek AI software. The deceptive operation amassed over 1.2 million views on X, raising serious concerns about cybersecurity threats associated with emerging AI technologies.

Kaspersky’s Threat Research and AI Technology Research divisions jointly identified this elaborate deception campaign, which capitalized on the growing public interest in DeepSeek AI—a widely recognized generative AI chatbot. The attackers established fake replicas of the official DeepSeek website using deceptive domains such as "deepseek-pc-ai[.]com" and "deepseek-ai-soft[.]com" to mislead unsuspecting users.

One of the distinguishing tactics of this attack was the implementation of geofencing technology, which allowed the fraudulent websites to analyze each visitor's IP address and dynamically alter content based on geographic location. This strategic move helped cybercriminals refine their attack methods and evade detection.

Targeted Attack via Social Media Manipulation

According to Kaspersky researchers, X (formerly Twitter) was the primary distribution channel for the malicious campaign. The attackers hijacked the social media account of a legitimate Australian business to promote fraudulent links, resulting in approximately 1.2 million impressions and hundreds of reposts. Further analysis showed that many of these reposts came from a network of coordinated bot accounts, identifiable by similar naming patterns and profile characteristics. This bot-driven amplification significantly boosted the visibility of the malware-laden posts while evading automated security measures.

Infection Mechanism and Malware Execution

Users deceived by the fraudulent sites were prompted to download a counterfeit DeepSeek client application. Instead of the genuine software, the attackers deployed malware-packed installers using the Inno Setup installation platform. Upon execution, these malicious installers initiated contact with remote command-and-control servers, retrieving Base64-encoded PowerShell scripts. These scripts then enabled Windows' built-in SSH service, reconfigured with attacker-controlled keys, thereby granting unauthorized remote access to compromised systems.

All malware variants linked to this campaign, identified as Trojan-Downloader.Win32.TookPS.* types are proactively detected and blocked by Kaspersky’s security solutions.

How to Stay Safe

To prevent falling victim to such threats, Kaspersky recommends the following security measures:

• Verify URLs Carefully: Fraudulent AI-related websites often mimic legitimate services with slight domain variations. Before downloading any AI software, users should confirm that the URL exactly matches the official domain without added words, hyphens, or misspellings.
• Use Robust Security Protection: Installing comprehensive cybersecurity solutions such as Kaspersky Premium on all devices can help detect and block malicious installers and phishing sites before they compromise systems.
• Keep Software Updated: Many security vulnerabilities exploited by malware can be mitigated by keeping the operating system and applications—especially security software—up to date.

As cybercriminals continue to evolve their tactics, users must remain vigilant against AI-themed scams and adopt proactive cybersecurity measures to safeguard their digital environments.