Stealers and backdoors are spreading under the guise of a DeepSeek client.
Stealers and backdoors are spreading under the guise of a DeepSeek client.
Kaspersky experts have discovered campaigns distributing stealers, malicious PowerShell scripts, and backdoors through web pages mimicking the DeepSeek and Grok websites.
Among the most significant events in the AI world in early 2025 was the release of DeepSeek-R1 – a powerful reasoning large language model (LLM) with open weights. It’s available both for local use and as a free service. Since DeepSeek was the first service to offer access to a reasoning LLM to a wide audience, it quickly gained popularity, mirroring the success of ChatGPT. Naturally, this surge in interest also attracted cybercriminals.
While analyzing our internal threat intelligence data, we discovered several groups of websites mimicking the official DeepSeek chatbot site and distributing malicious code disguised as a client for the popular service.
Screenshot of the official DeepSeek website (February 2025)