Cyber Security News

Threat Actors Exploit DeepSeek Craze to Distribute Vidar Stealer Malware

In a concerning new development, cybercriminals are exploiting the widespread popularity of the recently launched DeepSeek AI chatbot to distribute the Vidar Stealer malware.

According to research by Zscaler ThreatLabz, attackers are using brand impersonation tactics to lure unsuspecting users into executing malicious code, thereby compromising sensitive data.

Launched on January 20, 2025, DeepSeek quickly gained global attention, making it a prime target for malicious campaigns.

Threat actors have created fraudulent websites mimicking DeepSeek’s official platform, employing fake CAPTCHA pages as part of their attack chain.

These pages trick users into executing harmful PowerShell commands that download and deploy the Vidar information stealer.

Technical Analysis of the Attack Chain

The attack begins with the creation of fake domains resembling DeepSeek’s official site.

One such domain, “deepseekcaptcha[.]top,” prompts visitors to complete a registration process before redirecting them to a deceptive CAPTCHA page.

Embedded JavaScript in this page copies a malicious PowerShell command to the user’s clipboard.

If executed, this command downloads a packed Vidar executable (1.exe) onto the victim’s system.

DeepSeek CrazeDeepSeek Craze
attack chain employed in this campaign

Once deployed, Vidar initiates its primary function: harvesting sensitive information such as login credentials, cryptocurrency wallet data, browser cookies, and personal files.

The malware also uses legitimate platforms like Telegram and Steam to conceal its command-and-control (C2) infrastructure.

Exploitation of Cryptocurrency Wallets and Browsers

Vidar is specifically configured to target cryptocurrency wallets and browser extensions.

It scans victims’ systems for wallet-related files and configurations, exfiltrating sensitive data from popular wallets like MetaMask, BinanceChainWallet, and Trust Wallet.

Additionally, it extracts browser-related assets such as saved credentials and autofill data from browsers including Google Chrome, Microsoft Edge, Opera GX, and Brave.

The malware also searches for specific filenames and extensions associated with cryptocurrency wallets or private keys.

By leveraging these methods, attackers can gain access to victims’ digital assets and accounts.

Vidar uses hardcoded endpoints for exfiltration of stolen data. In this campaign, attackers utilized a publicly accessible Steam community profile and a Telegram channel to locate C2 infrastructure.

Associated IP addresses include 77.239.117[.]222 and 95.216.178[.]57.

The rapid exploitation of DeepSeek underscores the risks associated with emerging AI technologies.

While generative AI tools offer significant benefits, they also create new opportunities for cybercriminals to launch sophisticated attacks.

Organizations must adopt robust security measures to mitigate these threats, including monitoring newly registered domains and educating users about phishing tactics.

Zscaler’s cloud security platform has detected indicators related to Vidar at multiple levels, providing protection against this campaign.

However, proactive measures such as implementing zero trust frameworks and restricting unsanctioned applications remain critical in combating such threats.

As AI adoption continues to grow across industries, vigilance will be essential in safeguarding users against evolving cyber risks.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago