Microsoft Warns of Fake DeepSeek V4 Repos Spreading Malware

Microsoft's threat intelligence team has issued an urgent warning about hackers exploiting the popularity of DeepSeek to distribute dangerous malware through fake GitHub repositories. Cybercriminals are creating fraudulent repos claiming to offer DeepSeek V4 model weights and files, but the downloads actually contain Vidar and GhostSocks trojans designed to steal credentials and compromise systems.

The campaign, disclosed via Microsoft's official LinkedIn account on May 6, 2025, represents a growing trend of attackers 'trend-jacking' popular AI models to lure unsuspecting developers and researchers into downloading malicious payloads.

Key Facts at a Glance

• Fake GitHub repositories impersonate DeepSeek V4, offering fraudulent 'model files' that are actually trojans
• The malware includes Vidar (an info-stealer) and GhostSocks (a proxy/backdoor trojan)
• DeepSeek's official code and accounts have not been compromised — this is purely a phishing campaign
• DeepSeek V4 is distributed only via API and Hugging Face, not through GitHub model repositories
• GitHub has already shut down several malicious repos and banned associated accounts
• Users searching for 'DeepSeek v4 weights GitHub' are at highest risk of encountering these malicious repos

How the Attack Works: Exploiting AI Hype

The attack strategy is deceptively simple but highly effective. Hackers create GitHub repositories with names and descriptions that closely mimic what a legitimate DeepSeek V4 model repository might look like. These repos are optimized for search visibility, meaning developers who search for terms like 'DeepSeek v4 weights GitHub' or 'DeepSeek V4 model download' are likely to encounter the malicious repositories before — or instead of — any legitimate resources.

Once a user visits the fake repository, they find what appears to be standard model files, documentation, and installation instructions. The files are packaged to resemble typical AI model distributions, complete with README files and directory structures that mirror authentic open-source AI projects. However, the actual payloads contain sophisticated malware designed to evade initial detection.

Microsoft emphasized that this is a 'trend-jacking' attack — the hackers are simply borrowing the DeepSeek brand name as bait. DeepSeek's own infrastructure, source code, and official accounts remain secure and uncompromised. The attackers have no affiliation with DeepSeek whatsoever.

Understanding the Malware: Vidar and GhostSocks

The two primary malware strains being distributed in this campaign are particularly concerning for developers and enterprise users.

Vidar is a well-known information-stealing trojan that has been active since at least 2018. It is capable of:

• Harvesting browser credentials, cookies, and autofill data
• Stealing cryptocurrency wallet information
• Capturing screenshots and system information
• Exfiltrating files from targeted directories
• Grabbing 2-factor authentication data from desktop apps

GhostSocks is a more specialized piece of malware that functions as a SOCKS5 proxy backdoor. Its capabilities include:

• Converting infected machines into proxy nodes for routing malicious traffic
• Enabling attackers to bypass geographic restrictions and IP-based security controls
• Providing persistent remote access to compromised systems
• Facilitating lateral movement within corporate networks
• Evading detection by blending malicious traffic with legitimate network activity

The combination of these two trojans is particularly dangerous. Vidar handles immediate data theft, while GhostSocks establishes long-term persistence and network access. For enterprise environments, a single infected developer workstation could provide attackers with a foothold into broader corporate infrastructure.

A Growing Trend: AI Brand Exploitation in Cybercrime

This incident is far from isolated. The explosive growth of generative AI has created a massive attack surface that cybercriminals are eagerly exploiting. Over the past 18 months, security researchers have documented a sharp increase in malware campaigns that leverage popular AI brand names.

In 2024, similar campaigns targeted users searching for downloads of Meta's Llama models, Stable Diffusion installations, and even fake ChatGPT desktop applications. The pattern is consistent: attackers identify trending AI tools, create convincing but fraudulent distribution channels, and wait for victims to come to them through organic search.

What makes AI-related attacks particularly effective is the target demographic. Developers and researchers downloading model weights are often technically sophisticated, which can paradoxically make them more vulnerable — they may assume they can evaluate the safety of a repository based on its appearance alone. Additionally, AI model files are typically large binary blobs that are difficult to inspect manually, making them ideal vehicles for hiding malicious code.

Compared to traditional phishing campaigns that rely on email, these supply-chain-adjacent attacks leverage the trust inherent in platforms like GitHub. Users generally consider GitHub repositories to be relatively safe, especially when they appear well-maintained and have stars or forks — metrics that can be easily manipulated by attackers using bot networks.

What Developers and Organizations Should Do Now

Microsoft's warning carries clear implications for anyone working with open-source AI models. The threat intelligence team recommends several immediate actions to mitigate risk.

For individual developers:

• Always verify model downloads through official channels — for DeepSeek, that means the official API or Hugging Face
• Check the repository owner's account history, creation date, and other projects before downloading anything
• Be suspicious of repositories that appear only when searching for specific model weight downloads
• Use endpoint protection software that can detect known malware signatures like Vidar and GhostSocks
• Enable 2-factor authentication on all development accounts and avoid reusing credentials

For organizations and security teams:

• Implement policies restricting which GitHub repositories employees can download from
• Deploy network monitoring to detect communications with known Vidar and GhostSocks command-and-control servers
• Conduct awareness training specifically focused on AI-related social engineering attacks
• Use sandboxed environments for evaluating any externally sourced model files
• Monitor internal systems for indicators of compromise associated with these malware families

GitHub has already taken action by removing several identified malicious repositories and banning the accounts behind them. However, given the ease of creating new accounts and repos, security experts expect the attackers to continue creating new fraudulent repositories under slightly varied names.

Industry Context: The Cost of Open-Source AI Popularity

The DeepSeek V4 impersonation campaign highlights a fundamental tension in the AI ecosystem. The open-source AI movement — championed by companies like Meta, Mistral, and DeepSeek — depends on broad, easy access to model weights and code. But that same openness creates opportunities for bad actors.

DeepSeek, the Chinese AI startup that shocked the industry in January 2025 with its remarkably efficient DeepSeek-R1 reasoning model, has seen its brand recognition skyrocket globally. The company's models are among the most searched-for AI tools worldwide, making the DeepSeek name an irresistible lure for cybercriminals. The fact that attackers are already using a 'V4' designation — which may not yet officially exist — shows how preemptively they operate, banking on user curiosity and FOMO.

This situation mirrors what happened with cryptocurrency in 2017-2018, when the explosion of interest in Bitcoin and Ethereum led to a parallel explosion of crypto-related scams, fake wallets, and malicious mining software. The AI industry appears to be entering a similar phase, where mainstream popularity brings both innovation and increased criminal activity.

Looking Ahead: Expect More AI-Themed Attacks

Security analysts expect AI-branded malware campaigns to intensify throughout 2025 and beyond. As new models from OpenAI, Google, Anthropic, Meta, and emerging players like DeepSeek continue to generate headlines, each major release creates a new window of opportunity for attackers.

The cybersecurity community is calling for several systemic changes to address this threat:

• Verified publisher badges on GitHub for official AI model repositories, similar to verified accounts on social media
• Standardized model distribution channels that reduce the need for users to search across multiple platforms
• Automated malware scanning specifically designed for AI model file formats
• Cross-platform threat intelligence sharing between GitHub, Hugging Face, and other model hosting services

Until such measures are widely implemented, the burden of safety falls on individual users and organizations. The golden rule remains simple: if you did not find it through the official project website or verified distribution channel, do not download it. In the age of AI hype, a healthy dose of skepticism is the best defense against increasingly sophisticated social engineering campaigns.

For now, anyone interested in DeepSeek models should access them exclusively through DeepSeek's official API or verified Hugging Face repositories — and treat any GitHub repository claiming to host DeepSeek V4 weights with extreme caution.