Threat Actors Exploit DeepSeek-R1 Popularity to Target Windows Device Users

A new, highly sophisticated cyberattack campaign is targeting users seeking to download the popular language model DeepSeek-R1, exploiting global interest in large language models (LLMs).

Kaspersky researchers have uncovered that threat actors are utilizing malvertising and phishing tactics to distribute previously unknown malware, named BrowserVenom, capable of hijacking victims’ web traffic and stealing sensitive information.

Security experts recently identified that malicious actors were leveraging Google Ads to promote a fake website, deepseek-platform[.]com, which closely mimics the legitimate DeepSeek homepage.

When unsuspecting users searched for “deepseek r1,” the fraudulent site appeared prominently in search results. Upon visiting, users were prompted through a series of convincingly designed screens, including a fake CAPTCHA check, to download an installer labeled “AI_Launcher_1.21.exe”.

Threat Actors Exploit DeepSeek-R1 Popularity

Upon execution, the installer launched not only an installation window mimicking well-known LLM interfaces but also invoked a hidden malware installation process.

This process begins by attempting to exclude the user’s folder from Windows Defender’s scan range via an AES-encrypted PowerShell command, increasing the attacker’s chances of evading detection.

The installer then downloads secondary payloads using cleverly obfuscated scripts. The final stage loads the BrowserVenom implant directly into memory, avoiding traditional detection mechanisms.

BrowserVenom’s primary function is to force all browser traffic through a proxy server controlled by threat actors. This is accomplished by installing a rogue certificate (to intercept HTTPS connections) and programmatically modifying browser settings across Chrome, Edge, Firefox, and other Chromium- and Gecko-based browsers.

Additionally, the malware updates browser shortcuts and preferences, ensuring persistence even after system restarts.

Researchers noted that traces of Russian-language code found in both the phishing and distribution websites’ source code strongly suggest Russian-speaking development.

Investigations have revealed infections in diverse regions including Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt demonstrating the campaign’s global reach.

Currently, the main proxy infrastructure is located at IP address 141.105.130[.]106 on port 37121, which the malware configures as the new proxy for hijacking network traffic, reads the report.

Experts urge users to exercise caution when downloading software promoted through ads or unfamiliar links.

Always verify the authenticity of websites, their URLs, and SSL certificates before proceeding to download any software, especially highly popular tools like LLM chatbots.

This incident spotlights the growing trend of cybercriminals capitalizing on the AI boom. As AI and LLM tools grow in popularity, so does their attractiveness as bait for complex and global cyberattacks making vigilance more crucial than ever for all users.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates