Kaspersky Reveals Deepseek AI-Deposit Campaign Targeting IT Professionals

Photo: Unsplash

Kaspersky's Threat Research and AI Technology Research has identified a campaign of advanced malware targeting Chinese-language IT professionals through the fake DeepSek AI website.

In this campaign, the attackers created a convincing Mandarin-language interface to promote "DeepSeek" (DeepSeek Local Deployment), which targets advanced users who want to run AI independently.

According to Kaspersky's analysis, the malware disguises itself as Ollama, a popular open source framework like DeepSek, for running a locally generative AI model.

"Treatlights run generative AI tools such as DeepSek locally, full control, reduced dependence on cloud services, and better privacy, have become common among IT professionals," explains Vladislav Tmenov, group manager at the Kaspersky AI Technology Research Center.

Kaspersky researchers further identify fake domains app.delpaseeek[.]com, app.deapseek[.]com, and dpsk.dghjwd[.]cn which distribute this particular malware.

If the user installs it, the malware will create a secret communication tunnel using the KCP protocol, which has the potential to give attackers continued long-distance access to infected systems.

This backdoor access allows threat actors to secretly extract sensitive data, capture credentials, monitor system activity, and move laterally within the network of companies where these professionals work.

"By explicitly targeting this technically capable individual, the attacker bridges it from a personal device infiltrated into a very special company environment," he added.

In parallel campaigns, fake DeepSek domain distributes malware that uses advanced avoidance techniques including steganography, followed by process injections that allow malware to operate in legitimate system processes, making detection much more difficult.