Being on a styler: password thief viruses masquerading as a DeepSeek neural network

Users are increasingly encountering viruses disguised as well-known services, such as the popular DeepSeek neural network application. Malware is capable of stealing passwords from "Public Services", social networks and corporate accounts. The most effective tools used by fraudsters are stylers - dangerous viruses that can take screenshots and track the messages a user receives. Experts predict that the number of attacks will continue to grow in 2025. How to recognize malware - in the material "Izvestia".

What are the dangers of "styler" viruses?

Malicious copies of well-known chatbots - ChatGPT, DeepSeek and Google Gemini - are actively spreading across the web. Such styler programs steal passwords from "Public Services", social networks and corporate records. These viruses are easy to use, cheap and widespread on the darknet, experts say.

Photo: Izvestia/Mitriy Korotayev

Attackers often create malicious clones of applications of government agencies and banks, imitating their design and functionality, said Lyudmila Bogatyreva, head of the IT division of the Polylog agency.

- Stylers are often distributed via phishing emails with attachments or links to malicious files. Usually in such messages, attackers pretend to be representatives of government agencies, contractors, tech support specialists or HR departments. Today, cybersecurity is actively using AI to recognize and prevent such emails. However, attackers will also use this technology to make letters more plausible and invisible to security services," the expert said.

Criminals create fake resources that mimic DeepSeek. For example, one of them imitates a neural network authorization page, said Olga Svistunova, senior content analyst at Kaspersky Lab. According to her, attackers use such stylers to steal user credentials from accounts. The attackers can then use this information to access user accounts in DeepSeek or other services.

Often, scammers fake stylers to look like trending apps, but add bugs. For example, they offer to download DeepSeak, DepSek or DeepSee instead of DeepSeek, IT expert Sergey Pomortsev added. According to him, the rise in popularity of viruses is linked to the development of malware platforms on the darknet, which have the common name of "virus-as-a-service."

Photo: Global Look Press/neural network tablet

Attackers continue to actively use stylers, which can be rented on shady resources or whose malware generators can be found in free access. Hackers don't even always need to use it: you can buy data obtained with the help of stylers on the black market, said Oleg Skulkin, head of BI.ZONE Threat Intelligence.

In general, the number of cyberattacks using stylers in 2024 increased by 54% compared to 2023, the press service of Informzaschita reported. At the same time, in 2022 there were 240 thousand of them, and by 2024 the figure rose to 750 thousand attacks on users' devices.

Photo: Izvestia/Alexei Maishev

As reported in the press service of Mincifra, on "Gosusluga" applies multi-level protection. It is possible to get access to the account only if the user self-reported login details. Therefore, fraudsters use social engineering methods, phishing, malicious applications to gain access to log into the personal cabinet of both "Gosuslugi" and banking applications, mobile operators and other useful resources.

- Be vigilant, critically evaluate the links you follow and do not install applications from dubious sources. Be attentive to your data and never share your login, password and information about the second factor of account protection with anyone," the ministry recommended.

How to avoid viruses on the Internet

There are many cases where stylers have been used to steal a person's own confidential information, Informzaschita noted.

- We are aware of a case when company employees received a phishing mailing on behalf of a partner logistics company with some documents in attachments. While downloading them, one of the employees installed a styler on his device. Using the malware, the hackers stole his identification data and also tracked a one-time code from an SMS for dual authentication. Having got into the company's information infrastructure, the attackers stole a part of sensitive data, for which they demanded a ransom of several hundred thousand rubles," the company's press service added.

Photo: RIA Novosti/Kirill Kallinikov

Thanks to the support of the state, information such as "how not to become a victim of fraudsters" is actively gaining popularity. Popularization of cyber literacy is especially noticeable in the regions of the Russian Federation, it is promoted by videos and banners in public places. For example, videos on the topic of phishing are shown everywhere at the airport in Khanty-Mansiysk, said Igor Biryukov, head of the Skolkovo Cyber Hub.

According to the expert, the fight against this type of threats will not end in 2025, and Russians need to learn to be careful in the digital space.

All data at once: how fraudsters hack into Russians' "Gosuservices"

After the attack, the criminals take out loans in the names of the victims

- Everything that we transfer to public services can become available to an unlimited number of people. In our company, it has long been forbidden to transmit specific data on projects, solutions, and customers to public neural networks. And if there is a need to ask a neural network about something, we always do it in an impersonal form, initially keeping in mind that the data may leak, - said Askar Dobryakov, a leading expert of business application protection at K2 Cyber Security.

According to the expert, the recent DeepSeek leak brought the company huge reputational losses and gave competitors the opportunity to accuse the Chinese corporation of neglecting information security, including the emergence of numerous services that mimic the neural network from China.

Photo: Izvestia/Mitriy Korotayev

Companies need to follow three key rules: first, to set up corporate email protection, second, to provide anti-virus protection for all devices used by employees, including Linux systems, and third, to regularly train employees and tell them about ways to combat fraud, as well as to conduct special phishing tests, reminded Denis Polyansky, Director of Customer Security at Selectel.

Users are advised not to follow unknown links, carefully check the domain name of the resource and, if it differs from the original or simply seems suspicious, close the page, regularly update browsers to the latest versions and install security updates, as well as enable two-factor authentication for all accounts where it is possible.