Deep-Seek Phishing Campaign (20 February 2026)

Executive Summary

On the morning of 20 February 2026, a large-scale phishing campaign was identified targeting software developers, DevOps engineers, and cloud administrators. The attackers impersonated the popular DeepSeek AI interface and distributed a fake “DeepSeek Desktop Client.”

The downloaded installer deployed RedEngine Infostealer, a credential-harvesting malware focused specifically on:

.env configuration files
AWS credentials
SSH keys
Browser-stored secrets
Cloud CLI tokens

This campaign did not rely on exploiting a software vulnerability. Instead, it succeeded through convincing social engineering and brand impersonation.

What Happened

Attackers created a near-perfect clone of the DeepSeek AI web interface and promoted a fake “Desktop Client – Early Access Build.”

The campaign was distributed through:

Sponsored posts on X (Twitter)
GitHub issue comments
Fake Medium blog posts
Direct phishing emails to developers
Discord/Telegram AI communities
SEO poisoning (malicious search ads ranking above legitimate site)

Victims who downloaded and executed the “desktop client” unknowingly installed RedEngine Infostealer, which immediately began harvesting sensitive data from their systems.

The campaign was active for several hours before detection and domain takedown efforts began.

Initial Access Vector

The initial vector was phishing via brand impersonation.

No zero-day exploit.
No vulnerability exploitation.
Purely user execution.

The attacker workflow:

Victim searches “DeepSeek desktop app”
Malicious sponsored search result appears
Victim downloads:
- DeepSeek_Setup_1.3.2.exe
- DeepSeek.dmg
- DeepSeek.AppImage
User runs installer
Malware executes silently in background

The installer displayed a legitimate-looking UI to avoid suspicion.

Payload Delivered

Primary Payload: RedEngine Infostealer

RedEngine is a credential and secrets-focused infostealer, and this variant was customized for developer environments.

Capabilities Observed

Harvest .env files recursively from:
- /home/*/
- C:\Users\*\
- Project directories
- Docker volumes
Extract AWS credentials from:
- ~/.aws/credentials
- ~/.aws/config
Dump environment variables
Steal SSH private keys:
- ~/.ssh/id_rsa
- id_ed25519
Exfiltrate Kubernetes configs:
- ~/.kube/config
Steal Git credentials
Extract browser session tokens
Steal crypto wallets (secondary module)
Collect system metadata

Execution Chain

Windows Execution Flow

User runs DeepSeek_Setup_1.3.2.exe
Dropper extracts:
- %AppData%\Roaming\DeepSeek\client.exe
- %AppData%\Roaming\DeepSeek\engine.dll
Persistence added via:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DeepSeek
RedEngine launched in background
Data zipped into encrypted archive
Exfiltration via HTTPS POST

macOS Execution Flow

Victim runs unsigned .dmg
App bundle installs:
- ~/Library/Application Support/DeepSeek/agent
Persistence via:
- ~/Library/LaunchAgents/com.deepseek.agent.plist
Keychain dump module triggered
Data exfiltrated

Linux Variant

Distributed as .AppImage
Extracted to /tmp/.deepseek/
Cron persistence added
Harvested Docker secrets
Focused on cloud developer environments

What Was Stolen

The attackers specifically targeted:

1. Environment Files

.env files often contain:

Database passwords
API tokens
Stripe keys
JWT secrets
OAuth secrets
Internal service credentials

2. AWS Credentials

Access keys + secret keys enabled:

S3 access
EC2 access
IAM enumeration
Lambda deployment abuse

In some cases, compromised AWS accounts were later used for:

Cryptomining
Data exfiltration
Creating rogue IAM users

3. SSH Keys

Used for:

GitHub private repo access
Server lateral movement

Command and Control (C2)

RedEngine communicated over HTTPS using encrypted payloads.

Observed Patterns

Outbound POST requests to:
- /api/v3/upload
- /client/sync
TLS self-signed certificates
Hardcoded IP fallback if domain failed
Beacon interval: 90–120 seconds

Data was compressed with:

ZIP
AES-256 encryption
Base64 encoding before transmission

Indicators of Compromise (IOCs)

Suspicious File Names

DeepSeek_Setup_1.3.2.exe
DeepSeekAI_Desktop.exe
DeepSeek-Installer.pkg
DeepSeek.AppImage

Suspicious Directories

Windows

%AppData%\Roaming\DeepSeek\
%LocalAppData%\Temp\deepcache\

macOS

~/Library/Application Support/DeepSeek/
~/Library/LaunchAgents/com.deepseek.agent.plist

Linux

/tmp/.deepseek/
/var/tmp/.engine/

Registry Persistence (Windows)

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DeepSeek

Network Indicators

Unusual outbound HTTPS to newly registered domains
Beacon interval ~100 seconds
POST size between 200KB – 5MB shortly after execution

Was Any Vulnerability Exploited?

No known CVE was exploited.

This was pure social engineering:

Brand impersonation
SEO poisoning
Malicious advertising
Fake GitHub discussions

The success came from trust in AI tooling.

Antivirus / EDR Evasion

The sample showed:

Code signing with stolen certificate (short-lived)
Obfuscated strings
Delayed execution (sleep 2–5 minutes)
Anti-VM checks
Disabled Windows Defender via PowerShell (select cases)
Used legitimate Windows API calls to avoid detection

Many signature-based AV solutions initially missed it due to:

Fresh hash
Custom packer
Encrypted strings

Behavior-based EDR caught it later due to:

Mass file access
Credential harvesting behavior
Unusual network exfiltration

Impact

Primary Victims

Software developers
DevOps engineers
Startup teams
Freelancers
Cloud administrators

Secondary Impact

Compromised AWS accounts
Data leakage
Stolen source code
Infrastructure compromise
Supply chain risk

Several startups reported:

Unauthorized IAM user creation
Suspicious S3 downloads
Crypto mining workloads

How to Detect This Campaign

1. Endpoint Detection Rule (Behavioral)

Look for:

Process named DeepSeek*
Followed by mass access to:
- .env
- .aws
- .ssh
Followed by large outbound HTTPS POST

2. Sigma Rule

title: DeepSeek RedEngine Infostealer Activity
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|contains:
      - DeepSeek
    CommandLine|contains:
      - .env
      - .aws
      - .ssh
  condition: selection
level: high

3. Network Hunting

Query:

New domains registered within last 7 days
HTTPS POST with payload > 200KB from developer workstations
Repeated outbound connections every 90–120 seconds

4. Cloud Monitoring