Hackers Use Fake DeepSeek TUI GitHub Repositories to Deliver Malware

HomeCyber Security News Hackers Use Fake DeepSeek TUI GitHub Repositories to Deliver Malware By Tushar Subhra Dutta May 11, 2026 Hackers are once again targeting developers and AI enthusiasts by impersonating popular open-source tools on GitHub. This time, the target is DeepSeek TUI, a legitimate terminal-based intelligent agent that allows users to interact with DeepSeek large language models directly from the command line. With the recent release of DeepSeek v4 and a widely shared post by developer Hunter Bown generating buzz across Chinese-language tech communities, the project quickly became a high-value spoofing target for threat actors looking to capitalize on trending AI software. The attack follows a pattern that has grown increasingly common in the developer community. Cybercriminals create convincing fake repositories on GitHub that closely mimic the look and layout of a genuine project. Unsuspecting users who land on these pages are tricked into downloading what appears to be a legitimate tool. In this case, the malware was hidden inside a 7z compressed archive file sitting on the Releases page of the fraudulent repository, making it look like a standard software download. Researchers at QiAnXin Threat Intelligence Center were the first to identify this campaign in detail. They noted that the malware’s features are nearly identical to a previously disclosed spoofing attack known as OpenClaw, which QiAnXin exposed in March 2026. The same malicious domain names used in that earlier campaign also appear in this one, pointing to the same threat actor operating in an ongoing and evolving capacity. What makes this campaign particularly concerning is the sheer number of fake AI-themed installer names tied to the same attack infrastructure. Alongside DeepSeek TUI, researchers found counterfeit files posing as tools named after Claude, Grok, WormGPT, KawaiiGPT, fraudGPT, and several others. Fake DeepSeek TUI Repository Used as Malware Delivery Point Based on a shared PDB path called “ClawCode.pdb” found embedded in the samples, all of these malicious executables are linked to the same Rust-written malware family, suggesting a coordinated threat actor constantly rotating spoofing targets. The primary malware file identified in this campaign is named DeepSeek-TUI_x64.exe, with an MD5 hash of b96c0d609c1b7e74f8cb1442bf0b5418 and a compilation timestamp of April 29, 2026. Before executing any malicious behavior, it runs an extensive environment check to determine whether it is running inside a sandbox. If it detects signs of a virtual machine, known analysis tools, or suspicious system characteristics, it displays the message “Sorry, your system does not meet the minimum requirements” and quietly exits. Once the malware confirms it is running on a real user machine, it proceeds to disable key Windows Defender protections using an XOR-encrypted PowerShell script. It adds six folder exclusions, disables cloud-based reporting, turns off behavior monitoring, and opens three inbound firewall ports: 57001, 57002, and 56001. The string decryption key used in the sample is “xnasff3wcedj,” and the malware reaches out to Pastebin and snippet.host links to fetch Azure-hosted second-stage payloads. The downloaded second-stage components each serve a specific role in maintaining the attacker’s access. OneSync.exe and WinHealhCare.exe handle installation and scheduled task setup while reporting back via Telegram. The component onedrive_sync.exe ensures persistence through the Windows Run registry key. Meanwhile, svc_service.exe acts as the resident core, using NT syscalls for thread injection and loading .NET assemblies entirely in memory to avoid detection. Multi-Stage Persistence and Anti-Sandbox Evasion The campaign’s use of multiple persistence mechanisms makes it especially difficult to remove once a system is compromised. The malware can survive through scheduled tasks, registry Run keys, Winlogon hooks, and startup shortcuts. The second-stage loader autodate.exe masquerades as a service manager while quietly injecting payloads into memory. The C2 domains used are mikolirentryifosttry.info and zkevopenanu.cfd. Developers and security teams are strongly advised to verify the authenticity of any GitHub repository before downloading files, especially for AI-related tools that have gained sudden public attention. Always check account age, commit history, and the number of genuine contributors before trusting a release. Endpoint detection tools that monitor memory injection techniques and unusual PowerShell activity can also help flag this type of threat early. Indicators of Compromise (IoCs):- Type Indicator Description MD5 b96c0d609c1b7e74f8cb1442bf0b5418 DeepSeek-TUI_x64.exe (first-stage dropper) MD5 7de2896e373342e0f3b765c855bf7396 bbg_free_x64.exe MD5 78c11c45c00a9c22f537c59a472beca1 CatGatekeeper_x64.exe MD5 df36a31148d2c6414bdafeab771ea728 CatGatekeeper_x64.exe MD5 14920c9751d20452a1006d20b8e73234 CatGatekeeper_x64.exe MD5 f6d328422e7ca22e70a6aa71315450f3 CatGatekeeper_x64.exe MD5 86c7f2a3c307928daaca7c1df3ea5d72 CatGatekeeper_x64.exe MD5 dbaa133fd3d1a834460206d83b480f80 ClaudeDesign-Optimized_x64.exe MD5 22c0c7d441fd22432cfe7854b59ba82b ClaudeDesign-Optimized_x64.exe MD5 a224f44bdac16250d8093df68e05b512 DeepSeek-TUI_x64.exe MD5 6861fa47889e0340ab7efaab448c56b6 DeepSeek-TUI_x64.exe MD5 437e4bdb12d7fa8d1c9a9e9db84b8726 DeepSeek-TUI_x64.exe MD5 fbfe7513685913e6f878647eec429d45 deepseek-v4-pro_x64.exe MD5 562d48524313d414b5a419fed6ca10aa DV4-MCP-Setup.exe MD5 df8a2e7aa46af996bdf67d79601671c3 fraudGPT_x64.exe MD5 f101a346502a324320f952d39e217064 fraudGPT_x64.exe MD5 5d14461718b74b86fdd68c6aee801dc4 GLM5-Local_x64.exe MD5 556b35236eeb111b0606d88a7aa3fd87 gpt-image-2-desktop.exe MD5 ff371b43786cbb87dab325ce17cf8b7c gpt-image-2-desktop.exe MD5 1bd1df4f228ecd29a9b6fab48beaa366 GrokCLI_x64.exe MD5 975bd8eb56716adbcadb5216592a17c7 Hermes-Agent_x64.exe MD5 347980085c8926d5a1ff8e15a31fd812 Hermes-Agent_x64.exe MD5 46917d8326d77e4e3c39cb843dbfc675 KawaiiGPT_x64.cpl.exe MD5 b6f77b48223f57c67f00ccd8ab3d047e KawaiiGPT_x64.exe MD5 8dde7a417130ae78a3f2aeed1f5b8f58 Kimi-K2.6_x64.exe MD5 4c7abc81b308fc874ec0de4f026db260 Kimi-K2.6_x64.exe MD5 48dd212fae0086822d4ae7696cc61693 LTX-2.3_x64.exe MD5 faa5f780fb0e0786dd1a2bd19af290ca opus-4-7_x64.exe MD5 6721f30d84f58532d877f2b31bfc9162 opus-4-7_x64.exe MD5 a9d492ab22400257f756f0308e06f04c worldmonitor_x64.exe MD5 d0a92b090279894f4628bc3d627fbde0 WormGPT_x64.exe MD5 397405106d895815a9bef8d84445af5a OneSync.exe (two-stage component) MD5 b7a76b82c2a5e16a3c346cc6aa145556 WinHealhCare.exe (two-stage component) MD5 f01e96a80f92c414dd824aef5a1ac1e7 onedrive_sync.exe (two-stage component) MD5 ecb3e753b60cc0f3d7de50fe7f133e49 svc_service.exe (two-stage component) MD5 68ba5a1bafae7db35e2eee7ea3f11882 autodate.exe (two-stage component) MD5 e102797eb4225a93eaeeaa6b9979716a vicloud.exe (two-stage component) Domain mikolirentryifosttry.info C2 command and control server Domain zkevopenanu.cfd C2 command and control server URL hxxps://pastebin.com/raw/w6BVFFWQ Primary payload staging link URL hxxps://pastebin.com/raw/5tmHDYrf Secondary payload staging link URL hxxps://pastebin.com/raw/M6KthA5Z Payload decompression password storage URL hxxps://snippet.host/beuskq/raw Backup payload staging link URL hxxps://snippet.host/uikosx/raw Backup payload password storage URL hxxps://hkdk.events/djbk1i9hp0sqoh Telegram relay endpoint Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Mozilla Patches 423 Firefox Vulnerabilities with Claude Mythos and Other AI Models WhatsApp Vulnerability Lets Attackers Leverage Instagram Reels to Execute Malicious URLs Palo Alto Networks Firewall Zero-Day RCE Vulnerability Exploited in the Wild Since April Vidar Malware Targets Browser Credentials, Cookies, Crypto Wallets, and System Data Education Sector Under Attack From State Espionage, Spear-Phishing, and Supply Chain Attacks Latest News Cyber Security News Crimenetwork Takedown Exposes 22,000 Users and Over 100 Illegal Sellers Cyber Security News Trending Hugging Face Repo With 200k Downloads Executes Malware on Windows Machines Press Release Lyrie.ai Joins First Batch of Anthropic’s Cyber Verification Program Cyber Security News GhostLock Attack Leverages Windows file-sharing to Lock Files Access Like Ransomware Cyber Security News Hackers Use Weaponized JPEG File to Deploy Trojanized ScreenConnect Malware