An attack campaign using DeepSeek, AutoCAD, UltraViewer and other business apps as phishing lures was found spreading three different backdoors for remote access to victims’ systems, Kaspersky revealed in a blog post Wednesday.
One of the malware strains, known as TookPS, was previously discovered by Kaspersky in March, when fake DeepSeek pages were leveraged to spread the backdoor. The DeepSeek phishing page gained exposure through posts on X, one of which received about 1.2 million views.
Further telemetry analysis into the TookPS downloader found that the threat actor behind the campaign also imitated the brands of several other tools, including popular business applications, in order to spread TookPS and other backdoor malware.
Websites were discovered offering free downloads for the remote desktop software UltraViewer and the 3D modeling tools AutoCAD and SketchUp, which in reality installed the TookPS loader that retrieves malicious PowerShell scripts from the attacker’s command-and-control (C2) domains.
Files involved in the campaign also bore the names of Ableton, a music production software, and the personal finance app Quicken, suggesting further targeting of different organizations and individuals.
The TookPS loader initially retrieves a PowerShell script with commands that sequentially download and execution three additional PowerShell scripts to deploy the backdoors.
The first script downloads three files: sshd.exe, an SSH server configuration file and an RSA key file. The second script retrieves command line parameters for sshd.exe, including a remote server address, port and username, and then runs it to start an SSH server authenticated and configured using the other two files downloaded by the prior script.
The SSH server launched by TookPS serves as a tunnel through which the attacker can gain system access and execute arbitrary commands on the victim’s machine, according to Kaspersky.
However, the threat actor also uses the third script to download a custom version of the TeviRat backdoor, which uses dynamic-link library (DLL) sideloading to modify and launch the remote access software TeamViewer. A malicious library in the TeamViewer folder alters its behavior to grant the attackers remote access and hide the presence of the backdoor from the user.
A third backdoor, called Lapmon, was also found to be deployed during the attacks, although the exact delivery method was not discovered. Ultimately, the attackers establish multiple avenues of access and persistence on the victim’s machine.
Several phishing campaigns leveraging the popularity of the open-source large-language model (LLM) DeepSeek have popped up since the beginning of 2025, including two others discovered by Kaspersky in March. These fake sites offer downloads for a DeepSeek Windows application but in reality install other backdoors and infostealers.
Kaspersky noted that the real DeepSeek does not currently have an official Windows client.
In addition to the spread of fake DeepSeek apps on social media, such malicious imitations sites have also been proliferated through malvertising via Google Ads.
