Date: 03/11/2025
Severity: High
Summary
The DeepSeek AI chatbot, launched on January 20, 2025, quickly became a target for abuse. Threat actors use brand impersonation tactics to create fraudulent websites that trick users into revealing sensitive information or executing malware. The malware campaign employs a deceptive CAPTCHA page to perform clipboard injection, covertly copying a malicious PowerShell command for users to run.
Indicators of Compromise (IOC) List
Domains\URLs : | steamcommunity.com/profiles/76561199825403037 t.me/b4cha00 sailiabot.com |
IP Address : | 77.239.117.222 95.216.178.57 95.217.246.174 |
Hash : |
9f680720826812af34cbc66e27e0281f
e9a39ed8c569c9e568740e4eb93a6eec |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs : | userdomainname like "sailiabot.com" or url like "sailiabot.com" or userdomainname like "steamcommunity.com/profiles/76561199825403037" or url like "steamcommunity.com/profiles/76561199825403037" or userdomainname like "t.me/b4cha00" or url like "t.me/b4cha00" |
IP Address : | dstipaddress IN ("77.239.117.222","95.216.178.57","95.217.246.174") or ipaddress IN ("77.239.117.222","95.216.178.57","95.217.246.174") or publicipaddress IN ("77.239.117.222","95.216.178.57","95.217.246.174") or srcipaddress IN ("77.239.117.222","95.216.178.57","95.217.246.174") |
Hash : |
md5hash IN ("9f680720826812af34cbc66e27e0281f","e9a39ed8c569c9e568740e4eb93a6eec") |
Reference:
https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware