Attackers Exploiting AI Brand Hype

    Tuesday, June 16, 2026 In: Threat Research Print

    Date: 06/16/2026

    Severity: High

    Summary

    A threat actor is leveraging AI brand impersonation by registering lookalike .ru domains that mimic DeepSeek, MiniMax, and ChatGPT, complete with cloned branding, AI chat interfaces, and the DeepSeek whale mascot to target Russian-speaking users. The campaign monetizes victims through subscription fraud, using legitimate Stripe payment infrastructure and premium AI subscription offers hosted on impersonated domains. Researchers observed a multi-hop redirect network and widespread use of Yandex Metrika for cross-domain tracking and visitor fingerprinting. The operation also abuses compromised WordPress websites to funnel users to fake ChatGPT services, while infrastructure such as llmcollect.com is disguised as legitimate AI analytics to evade detection and blend into normal AI-related traffic.

    Indicators of Compromise (IOC) List

    Domain:

    deepseekgpt.ru

    deepseekv3.ru

    deepseek-chat.ru

    deepseek-ai.ru

    minimax-ai.ru

    besplatno-ai.ru

    offline-map.ru

    mapoffline.ru

    chatgpt-app.cloud

    ipscanadvsf.com

    llmcollect.com 

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "ipscanadvsf.com" or url like "ipscanadvsf.com" or siteurl like "ipscanadvsf.com" or domainname like "chatgpt-app.cloud" or url like "chatgpt-app.cloud" or siteurl like "chatgpt-app.cloud" or domainname like "deepseek-chat.ru" or url like "deepseek-chat.ru" or siteurl like "deepseek-chat.ru" or domainname like "deepseekv3.ru" or url like "deepseekv3.ru" or siteurl like "deepseekv3.ru" or domainname like "deepseek-ai.ru" or url like "deepseek-ai.ru" or siteurl like "deepseek-ai.ru" or domainname like "deepseekgpt.ru" or url like "deepseekgpt.ru" or siteurl like "deepseekgpt.ru" or domainname like "minimax-ai.ru" or url like "minimax-ai.ru" or siteurl like "minimax-ai.ru" or domainname like "besplatno-ai.ru" or url like "besplatno-ai.ru" or siteurl like "besplatno-ai.ru" or domainname like "offline-map.ru" or url like "offline-map.ru" or siteurl like "offline-map.ru" or domainname like "mapoffline.ru" or url like "mapoffline.ru" or siteurl like "mapoffline.ru" or domainname like "llmcollect.com" or url like "llmcollect.com" or siteurl like "llmcollect.com"

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-12-%20Attackers%20Exploiting-AI-Brand-Hype.txt 


    Tags

    Threat ActorAIDeepSeekRussiaCommunicationsFinancial ServicesMimicWordPressExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.