A newly discovered malware campaign is actively targeting users of DeepSeek-R1, one of the most popular large language models in the AI community.
Security researchers have revealed that attackers are exploiting the increasing demand for advanced AI tools by using deceptive online advertisements and phishing websites.
The attackers have placed malicious ads at the top of search engine results for keywords like “deepseek r1,” which redirect users to a counterfeit DeepSeek homepage.
This fake website, designed to closely resemble the official DeepSeek platform, tricks users into believing they are accessing legitimate resources.
Once on the fraudulent site, users encounter a “Try now” button tailored to their operating system, which initiates a series of background checks to filter out automated bots.
After passing a CAPTCHA challenge, victims are redirected to download a seemingly legitimate installer named AI_Launcher_1.21.exe.
The technical analysis of the website’s source code reveals the presence of Russian-language comments, suggesting that the campaign may be orchestrated by Russian-speaking threat actors.
The attackers’ strategy is particularly effective because it leverages the trust users place in search engine results and the visual familiarity of the DeepSeek brand.
The use of malvertising, or malicious advertising, allows the attackers to reach a broad audience, including both individuals and organizations seeking to enhance their AI capabilities.
This campaign highlights the growing trend of cybercriminals targeting the AI sector, recognizing that users of advanced technologies may be less suspicious of sophisticated phishing tactics.
Technical Breakdown And Global Impact
Once the malicious installer is executed, it launches a fake Cloudflare CAPTCHA and offers to install legitimate AI tools such as Ollama and LM Studio.
However, in the background, the installer activates a function that initiates a multi-stage infection process.
According to the Report, The first stage involves attempting to exclude the user’s folder from Windows Defender using a PowerShell command that is decrypted from an encrypted buffer.
This step is designed to evade antivirus detection and requires administrator privileges.
If successful, the malware proceeds to the next stage, which involves downloading a secondary executable from a dynamically generated domain.
This file is saved in the user’s Music folder and executed, enabling the attackers to deliver additional malicious payloads as needed.
The final stage of the infection involves deploying an advanced implant known as BrowserVenom directly into the system’s memory.
This implant is engineered to hijack all browser traffic by installing a rogue certificate and reconfiguring browsers to route internet connections through a malicious proxy server.
For Chromium-based browsers, the malware modifies shortcut files and adds a proxy-server argument, while for browsers like Firefox and Tor, it alters user profile settings.
Additionally, the implant appends unique identifiers to the User-Agent string, allowing attackers to track the victim’s online activity.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
