- Kaspersky finds fake DeepSeek app being promoted through Google Ads
- The app bundles legitimate software with malware
- The malware relays sensitive data to attacker-controlled servers
Cybersecurity researchers from Kaspersky have spotted a new malware distribution campaign abusing DeepSeek as a lure.
In a report, the experts say unidentified hackers created a spoofed version of the DeepSeek-R1 website, on which they hosted Ollama or LM Studio, tools which enable users to run large language models (LLM) locally on the computer, without needing an internet connection.
However the tools were bundled with a piece of malware called BrowserVenom, which configures web browsers to channel all traffic through the attackers’ server. As a result, any sensitive data, such as credentials, move through malicious servers first, where they can easily be picked up.
BrowserVenom
The site was being advertised through Google Ads, and when victims clicked on the download button, the site first checks which operating system they are using, and if they’re on Windows – serves the malware.
Other OS users were not targeted – but Windows users had to pass a CAPTCHA, after which they get served the malware.
Kaspersky says that BrowserVenom bypasses Windows Defender’s protection “with a special algorithm”, but did not elaborate further. It did stress that the infection process requires admin privileges for the Windows user profile, and otherwise won’t even run.
Most victims were located in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt, Kaspersky added, but did not say how many people were affected.
“While running large language models offline offers privacy benefits and reduces reliance on cloud services, it can also come with substantial risks if proper precautions aren’t taken, commented Kaspersky’s Security Researcher, Lisandro Ubiedo.
“Cybercriminals are increasingly exploiting the popularity of open-source AI tools by distributing malicious packages and fake installers that can covertly install keyloggers, cryptominers, or infostealers. These fake tools compromise a user’s sensitive data and pose a threat, particularly when users have downloaded them from unverified sources.”
Leave a comment