Cybercrooks just created a fake installer for DeepSeek’s AI model, DeepSeek-R1. It’s got a new kind of malware called BrowserVenom baked in.
This malware can hijack web traffic on a victim’s device, redirecting it to a server controlled by the hackers. They can then steal data, snoop on browsing activity, and expose login credentials, cookies, financial info, emails, and documents in plain text.
So far, BrowserVenom has infected computers in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. Kaspersky found that the malware is spread through fake websites that mimic the real DeepSeek homepage.
The hackers use a website called deepseek-platform.com to trick victims. When you visit, you’ll see a download button. Clicking it brings up a CAPTCHA screen. But here’s the thing: the site also uses JavaScript to check if you’re a bot or not. If you pass, you’ll download a file that’s infected with malware.
The hackers even bought Google ads to promote their fake site, making it show up at the top of search results for “deepseek r1”.
But Google has since removed the ads and blocked the hackers’ accounts.
How it works
The fake site looks legit, but it’s designed to steal your data. Here’s how:
- The site uses a CAPTCHA screen to make it look like a real download page.
- JavaScript code checks if you’re a bot or a real person.
- If you pass the test, you’ll download a file with BrowserVenom malware.
Source
The info comes from The Register.