Fake DeepSeek campaign hits macOS delivering Poseidon malware

A new cyberattack exploiting the rising popularity of DeepSeek is targeting macOS users to distribute a highly sophisticated malware called Poseidon Stealer.

Known as the ‘Fake DeepSeek Campaign, the cyberattack revealed by a security researcher in a 29 January X post, aims to steal sensitive data from victims.

What is the Poseidon Stealer?

Poseidon Stealer is a malware designed to steal sensitive data, including browser-stored credentials, cryptocurrency wallets, and system information.

The malware is distributed through fake applications and malicious payloads, primarily spread via phishing links and compromised websites, deceiving users into downloading seemingly legitimate software.

Once executed, the Poseidon Stealer collects sensitive data, including system information, login credentials, and details from crypto wallets.

Additionally, it logs keystrokes and communicates with its command-and-control (C2) server at 65.20.101.215/p2p to exfiltrate the stolen data.

The attack starts with a trojanized application file, identified by the hash ffef9d958bcc1d869639b785f36dfa035cdd41e35c1417b4e9895dc6a2d9017f.

Upon execution, this file installs Poseidon Stealer and establishes persistence on the infected device by modifying macOS list files.

The malware exploits legitimate system processes to avoid detection and encrypts communication with the C2 server.

Security experts have shared multiple indicators of compromise (IoCs) to enable defenders to identify the malware. They include Network traffic directed to 65.20.101.215/p2p, presence of suspicious plist files in ~/Library/Launch Agents, and execution of unknown binaries with elevated privileges.

Implications for macOS users

The Fake DeepSeek Campaign highlights the increasing sophistication of cyberattacks targeting macOS users.

While macOS devices are often considered more secure than Windows systems, this attack shows they are not immune.

The nature of this malware indicates that even traditionally secure platforms can be vulnerable, underscoring the need for strong defense strategies.

Proactive security measures are crucial to defending against such threats and protecting sensitive data.