BotWare: Fake AI Robot Spreading Across X

There’s no need to wait for Skynet when your favorite social platform is already swarming with compromised bots. Cybercriminals are capitalizing on the hype around generative AI and DeepSeek, a popular chatbot, by launching a deception campaign that feels more like Rise of the Machines than social engineering.

The weapon? Fake DeepSeek websites and a rogue installer disguised as the next big thing in artificial intelligence. The platform? X (formerly Twitter). The result? Over 1.2 million users exposed to malware hidden behind sleek interfaces and coordinated amplification tactics.

This isn’t sci-fi. It’s supply chain manipulation—served via your timeline.

Zeroing in on engineers

The victims weren’t careless. They were curious. Developers, researchers, and AI enthusiasts—profiles with technical fluency, always scanning for the next breakthrough. Their environments are dynamic, innovation-driven, and often security-reliant. The attackers didn’t need to phish these users. They simply had to meet them where they live: on X, in a thread, under a trending topic.

With one compromised business account and a seemingly credible post, cybercriminals turned AI interest into remote system compromise. And once clicked, it was too late to power down.

It’s not from the future—It’s already on X

The operation began with clones—fake DeepSeek domains like deepseek-ai-soft[.]com and deepseek-pc-ai[.]com. A compromised Australian business account published a post linking to them. Bot networks swarmed in, reposting and inflating visibility. The attack wasn’t viral by chance—it was engineered for scale.

Once users landed on the site and downloaded the fake DeepSeek installer (built using Inno Setup), the real payload began. The malware executed Base64-encoded PowerShell scripts, reconfigured the Windows SSH service, and embedded attacker-owned keys. Result: full remote access to compromised machines, no user prompts, no visible errors—just an open door.

The use of geofencing allowed attackers to adjust the malicious payload based on the victim’s IP, dodging detection tools and evading researchers.

Shut the bot down

This attack blends technical manipulation with psychological timing. Defending against it means acting on both fronts:

• Scrutinize domains for typos, dashes, and imitation tactics—especially in trending tech.

• Only download AI tools from their official websites or verified app stores.

• Deploy endpoint protection that can detect malicious installers and monitor PowerShell activity.

• Monitor for abnormal SSH behavior, especially unexpected reconfigurations or key changes.

• Train users to recognize deception campaigns boosted via compromised accounts.

• Track bot-driven amplification across social platforms, particularly in high-hype cycles.

• Segment networks to isolate high-risk endpoints and minimize lateral movement.

• Keep OS and security tools up to date to neutralize known scripting and SSH abuses.

https://cybersecuritynews.es/ciberdelincuentes-usan-x-para-distribuir-malware-disfrazado-de-deepseek-ai/