As DeepSeek v4 dominates tech headlines in May 2026, cybercriminals are wasting no time. Threat actors are now flooding GitHub with fraudulent repositories impersonating DeepSeek TUI, a popular terminal-based tool used to interact with DeepSeek models.
By riding the wave of high-profile developer interest, attackers are tricking AI enthusiasts into downloading malicious “releases” that appear identical to legitimate open-source software. This campaign is part of a broader trend where hackers “spoof” trending AI tools to gain a foothold on high-value developer workstations.
The “ClawCode” Malware: Stealth by Design
Researchers at the QiAnXin Threat Intelligence Center identified that these fake repositories are delivering a sophisticated malware family written in Rust. Dubbed “ClawCode” (based on its PDB debug path), this malware is a direct evolution of the “OpenClaw” campaign first spotted in March 2026.
The Attack Chain:
- The Hook: A user downloads
DeepSeek-TUI_x64.exefrom a GitHub “Releases” page. - Anti-Sandbox Check: Before doing anything, the malware checks for virtual machines or analysis tools. If detected, it displays a fake error: “Sorry, your system does not meet the minimum requirements,” and exits to avoid detection.
- Defender Sabotage: If the environment is “clean,” it executes an XOR-encrypted PowerShell script that disables Windows Defender cloud reporting, behavior monitoring, and adds six folder exclusions to hide its files.
Multi-Stage Persistence: The “Living in Memory” Strategy
Once the initial dropper (DeepSeek-TUI_x64.exe) clears the way, it fetches second-stage payloads from Azure, Pastebin, and Snippet.host.
- Communication: It utilizes Telegram relay endpoints to report successful infections back to the attackers.
- Memory Injection: The core component,
svc_service.exe, uses direct NT syscalls to inject .NET assemblies entirely into the system’s RAM. Because the code never touches the hard drive, traditional file-based scanners often miss it. - Persistence: The malware cements its stay using four different methods: Windows Task Scheduler, Registry “Run” keys, Winlogon hooks, and Startup shortcuts.
Beyond DeepSeek: A Growing List of Spoofed AI Tools
DeepSeek is not the only target. The same infrastructure is currently hosting malicious installers for nearly every major AI name in 2026, including:
- Claude & Grok (Counterfeit CLI tools)
- WormGPT & FraudGPT (Fake “dark” AI tools)
- KawaiiGPT & Kimi-K2.6 (AI-themed wrappers)
| Malware Component | Purpose |
| OneSync.exe | Installation & Task Setup |
| onedrive_sync.exe | Persistence via Registry |
| svc_service.exe | In-memory Thread Injection |
| autodate.exe | Service Manager Masquerade |
Critical Indicators of Compromise (IoCs)
Security teams should scan for the following domains and file hashes:
- C2 Domains:
mikolirentryifosttry.info,zkevopenanu.cfd - Dropper Hash (MD5):
b96c0d609c1b7e74f8cb1442bf0b5418(DeepSeek-TUI_x64.exe) - Payload Password URL:
hxxps://[pastebin.com/raw/M6KthA5Z](https://pastebin.com/raw/M6KthA5Z) - String Decryption Key:
xnasff3wcedj
How Developers Can Stay Safe
GitHub is a playground for innovation, but it’s also a minefield for the unwary. To protect your machine:
- Verify the Source: Before downloading a release, check the repository’s “Stars,” “Forks,” and “Commit History.” If a project has 5,000 stars but only existed for two days, it’s a fake.
- Inspect the Account: Click on the maintainer’s profile. Legitimate developers usually have a history of contributions; attackers often use “burner” accounts created in the last month.
- Monitor PowerShell: Watch for unusual PowerShell activity that attempts to modify
Add-MpPreference(Defender exclusions).
