Full Report
Kaspersky experts have discovered campaigns distributing stealers, malicious PowerShell scripts, and backdoors through web pages mimicking the DeepSeek and Grok websites.
Analysis Summary
The provided article snippet is extremely limited and primarily consists of boilerplate navigation elements from the Securelist website, offering no substantive details regarding a specific threat actor, historical campaigns, precise TTPs, or targeting patterns.
Therefore, the summary must reflect this lack of specific intelligence.
# Threat Actor: Undetermined (Activity Group leveraging popular AI/ML tools)
## Attribution & Identity
The article describes the *activity* of distributing stealer and backdoor malware disguised as a DeepSeek client but does not attribute this activity to a specific named threat actor or APT group. The primary identifying feature is the masquerade technique.
## Activity Summary
The observed activity involves the distribution of malicious files disguised as a legitimate client for the DeepSeek AI tool. These malicious packages contain hidden stealers and backdoors intended for compromise.
## Tactics, Techniques & Procedures
- **Masquerading/Social Engineering:** Distributing malware bundled with or disguised as a legitimate-looking installer for a popular AI client (DeepSeek).
- **Payload Delivery:** Deploying stealer malware and backdoors.
- *No specific MITRE ATT&CK IDs were identifiable from the context provided.*
## Targeting
- Sectors: Undetermined, implied to be individuals or organizations interested in using AI/ML tools like DeepSeek.
- Geography: Not specified in the provided context.
- Victims: No specific victim organizations are mentioned.
## Tools & Infrastructure
- **Malware families used:** Stealers and backdoors (specific names not provided).
- **Infrastructure (C2, domains, IPs):** Not mentioned in the text provided.
## Implications
This activity indicates an opportunistic campaign leveraging high-interest topics (like generative AI clients) to entice unsuspecting users into installing commodity malware, specifically targeting credential theft (stealers) and establishing persistence (backdoors). While not tied to an established APT, it represents a persistent threat utilizing social engineering focused on modern software adoption trends.
## Mitigations
- **Verify Software Origin:** Exercise extreme caution when downloading software, especially clients for popular or newly released tools like DeepSeek. Only download from official, verified developer websites.
- **Strong Endpoint Protection:** Utilize AV/EDR solutions capable of detecting fileless execution, commodity stealers, and suspicious backdoor callbacks.
- **User Education:** Educate users on the risks of downloading pirated, cracked, or third-party versions of popular software.