Skip to content

Cybercriminals use fake DeepSeek sites to hijack Windows PCs

  • by
  • 3 min read

Cybercriminals have launched multiple fake DeepSeek official pages, luring users into downloading malicious software disguised as a legitimate AI client. Domains such as deepseek-pc-ai[.]com and deepseek-ai-soft[.]com present users with ‘Download’ and ‘Start Now’ buttons, but instead of providing an actual DeepSeek client—which does not exist—the installer executes malicious scripts.

This campaign is part of a broader trend of cybercriminals exploiting the AI boom. Following the announcement of Grok-3, attackers began offering fake downloads of its client from domains like v3-grok[.]com and v3-deepseek[.]com, further blurring the lines between legitimate and fraudulent AI tools.

This is an image of deepseek securelist fake ss1
DeepSeek malicious domain. | Source: Securelist

Once activated, the installer accesses harmful URLs and manipulates Windows scripts to enable the SSH service, allowing attackers remote access to infected systems. The campaign employs geofencing tactics, blocking access to users from Russia while serving malware-laden pages to visitors from other regions.

According to researchers, the primary vector for distributing links to these fake DeepSeek sites has been X. A particularly suspicious post from the Australian startup Lumina Vista — a company with fewer than 10 employees — amassed 1.2 million views and over 100 reposts despite having a minimal social media presence.

This is an image of deepseek securelist fake ss2
Primary vector X account distributing malicious DeepSeek website. | Source: Securelist

Further investigations revealed that many accounts amplifying the post exhibited bot-like behaviour, suggesting a coordinated promotional effort or a hacked account being used for malicious advertising.

While some users in the comments flagged the malicious nature of the link, most discussions revolved around AI models like DeepSeek, Grok, and ChatGPT, overlooking the critical fact that DeepSeek has no official Windows client. The only way to access the chatbot is through a browser or by running it locally with specialised software.

Researchers have urged organisations and users to verify URLs, be cautious with data sharing, limit third-party plugins and always use trusted security solutions.

The Chinese AI chatbot made waves worldwide, drawing comparisons to ChatGPT and sparking controversies and widespread restrictions in countries like Italy, South Korea, India, and Australia.

In the News: Massive malvertising campaign exploits GitHub to deploy multi-stage malware

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of github featured 1398

Massive malvertising campaign exploits GitHub to deploy multi-stage malware

This is an image of iphone with apple logo

Apple ordered to open iOS to third-party app stores in Brazil

Top 7 bitcoin alternatives every crypto investor should check out

Malicious PyPI ‘set_utils’ steals Ethereum private keys

What is phishing? Types of phishing scams and how to protect yourself?

Albion Online forum users targeted in EFF-themed phishing scan

Photo: tada images / shutterstock. Com

Gemini flagged for extremist and CSAM content; tech platforms fail content moderation

This is an image of hacked security illustration 11

Silk Typhoon exploits zero-day vulnerabilities to target IT supply chain

>