Recommended reading

Watch out - that DeepSeek installer could be damaging malware

News
By published

Fake DeepSeek website is looking to trick victims

AI apps on smartphone screen, finger tapping on DeepSeek app
(Image credit: lixu/ via Getty Images)
  • Kaspersky finds fake DeepSeek app being promoted through Google Ads
  • The app bundles legitimate software with malware
  • The malware relays sensitive data to attacker-controlled servers

Cybersecurity researchers from Kaspersky have spotted a new malware distribution campaign abusing DeepSeek as a lure.

In a report, the experts say unidentified hackers created a spoofed version of the DeepSeek-R1 website, on which they hosted Ollama or LM Studio, tools which enable users to run large language models (LLM) locally on the computer, without needing an internet connection.

However the tools were bundled with a piece of malware called BrowserVenom, which configures web browsers to channel all traffic through the attackers’ server. As a result, any sensitive data, such as credentials, move through malicious servers first, where they can easily be picked up.

BrowserVenom

The site was being advertised through Google Ads, and when victims clicked on the download button, the site first checks which operating system they are using, and if they’re on Windows - serves the malware.

Other OS users were not targeted - but Windows users had to pass a CAPTCHA, after which they get served the malware.

Kaspersky says that BrowserVenom bypasses Windows Defender’s protection “with a special algorithm”, but did not elaborate further. It did stress that the infection process requires admin privileges for the Windows user profile, and otherwise won’t even run.

Most victims were located in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt, Kaspersky added, but did not say how many people were affected.

“While running large language models offline offers privacy benefits and reduces reliance on cloud services, it can also come with substantial risks if proper precautions aren’t taken, commented Kaspersky’s Security Researcher, Lisandro Ubiedo.

“Cybercriminals are increasingly exploiting the popularity of open-source AI tools by distributing malicious packages and fake installers that can covertly install keyloggers, cryptominers, or infostealers. These fake tools compromise a user’s sensitive data and pose a threat, particularly when users have downloaded them from unverified sources.”

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.