A new cyberattack campaign, dubbed the “Fake DeepSeek Campaign,” has been discovered targeting macOS users. DeepSeek, a Chinese-developed AI chatbot, has rapidly gained popularity globally.
Threat Actors started exploiting its popularity to deliver malware & infect users’ computers.
This campaign is designed to distribute the Poseidon Stealer, a sophisticated piece of malware to exfiltrate sensitive data from compromised systems.
Security researchers with X handle @g0njxa have identified the campaign leveraging fake applications and malicious payloads to infiltrate macOS environments.
The Fake DeepSeek Campaign masquerades as legitimate software, tricking users into downloading and executing malicious files.
The malware is distributed through phishing links and compromised websites, with attackers exploiting user trust in seemingly legitimate downloads.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
Once executed, the malware delivers the Poseidon Stealer, which is capable of collecting a wide range of sensitive information, including:
- Browser-stored credentials
- Cryptocurrency wallets
- System information
- Keylogging data
Malware Delivery Mechanism
The campaign uses a sample file hosted on malicious servers, such as the one identified with the hash ffef9d958bcc1d869639b785f36dfa035cdd41e35c1417b4e9895dc6a2d9017f.
This file was analyzed and found to be a trojanized application that executes the Poseidon Stealer upon launch.
The malware communicates with its command-and-control (C2) server located at 65.20.101.215/p2p to receive commands and exfiltrate stolen data.
Behavioral Indicators
According to sandbox analysis reports, the malware exhibits the following behaviors:
- Creates persistence mechanisms by modifying macOS list files.
- Exploits legitimate system processes to evade detection.
- Establishes encrypted communication with its C2 server for data transmission.
This Pseudocode illustrates how Poseidon establishes persistence on macOS systems. This code creates a launch agent plist file in the user’s ~/Library/LaunchAgents directory, ensuring that the malware is executed every time the system starts.
Indicators of Compromise (IoCs)
Security teams should monitor for the following IoCs:
- Network traffic to 65.20.101.215/p2p
- Presence of suspicious plist files in ~/Library/LaunchAgents
- Execution of unknown binaries with elevated privileges
The Fake DeepSeek Campaign highlights the growing sophistication of cyberattacks targeting macOS users, who are often perceived as less vulnerable than their Windows counterparts.
By leveraging advanced techniques like persistence mechanisms and encrypted C2 communication, attackers aim to steal critical data while evading detection.
Vigilance and proactive security measures are essential to thwart such threats and protect sensitive information from falling into malicious hands.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar