FlagThis - #deepseek

A new cyber threat has emerged, targeting users eager to experiment with the DeepSeek AI model. Cybercriminals are exploiting the popularity of open-source AI by disguising malware as a legitimate installer for DeepSeek-R1. Unsuspecting victims are unknowingly downloading "BrowserVenom" malware, a malicious program designed to steal stored credentials, session cookies, and gain access to cryptocurrency wallets. This sophisticated attack highlights the growing trend of cybercriminals leveraging interest in AI to distribute malware.

This attack vector involves malicious Google ads that redirect users to a fake DeepSeek domain when they search for "deepseek r1." The fraudulent website, designed to mimic the official DeepSeek page, prompts users to download a file named "AI_Launcher_1.21.exe." Once executed, the installer displays a fake installation screen while silently installing BrowserVenom in the background. Security experts at Kaspersky have traced the threat and identified that the malware reconfigures browsers to route traffic through a proxy server controlled by the hackers, enabling them to intercept sensitive data.

Kaspersky's investigation revealed that the BrowserVenom malware can evade many antivirus programs and has already infected computers in various countries, including Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The analysis of the phishing and distribution websites revealed Russian-language comments within the source code, suggesting the involvement of Russian-speaking threat actors. This incident serves as a reminder to verify the legitimacy of websites and software before downloading, especially when dealing with open-source AI tools that require multiple installation steps.


References :

• gbhackers.com: Threat Actors Exploit DeepSeek-R1 Popularity to Target Windows Device Users
• PCMag Middle East ai: 'BrowserVenom' Windows Malware Preys on Users Looking to Run DeepSeek AI
• bsky.app: Cybercriminals are exploiting the growing interest in open source AI models by disguising malware as a legit installer for DeepSeek Victims are unwittingly downloading the "BrowserVenom" malware designed to steal stored credentials, session cookies, etc and gain access to cryptocurrency wallets
• The Register - Software: DeepSeek installer or just malware in disguise? Click around and find out
• Malware ? Graham Cluley: Malware attack disguises itself as DeepSeek installer
• Graham Cluley: Cybercriminals are exploiting the growing interest in open source AI models by disguising malware as a legitimate installer for DeepSeek.
• Securelist: Toxic trend: Another malware threat targets DeepSeek
• www.pcmag.com: Antivirus provider Kaspersky traces the threat to malicious Google ads.
• www.techradar.com: Fake DeepSeek website found serving dangerous malware instead of the popular app.
• www.microsoft.com: Rewriting SymCrypt in Rust to modernize Microsoft’s cryptographic library
• ASEC: Warning Against Distribution of Malware Disguised as Research Papers (Kimsuky Group)
• cyble.com: Over 20 Crypto Phishing Applications Found on the Play Store Stealing Mnemonic Phrases

Classification:

• HashTags: #Malware #DeepSeek #BrowserVenom
• Company: DeepSeek
• Target: Windows Users
• Attacker: Kaspersky
• Product: DeepSeek
• Feature: Open Source AI
• Malware: BrowserVenom
• Type: Malware
• Severity: Major