- Kaspersky finds a false Deepseek application promoted via Google Ads
- The application is full of legitimate software with malware
- The malware relays the data sensitive to servers controlled by the attacker
Kaspersky cybersecurity researchers have spotted a new campaign to distribute malicious software abusing Deepseek as a lure.
In a report, experts say that unidentified hackers have created a usurped version of the Deepseek-R1 website, on which they hosted Olllama or LM Studio, which allow users to run large-language models (LLM) locally on the computer, without the need for an internet connection.
However, the tools were grouped with malware called Browservernom, which configures web browsers to channel all traffic via the attacker server. Consequently, all sensitive data, such as identification information, move first through malicious servers, where it can easily be collected.
Browservenom
The site was announced via Google ADS, and when the victims clicked on the download button, the site first checks the operating system they use, and if they are under Windows – serves malware.
Other users of the operating system were not targeted – but Windows users had to spend a Captcha, after which the malware are served.
Kaspersky says that Browservenom goes around Windows Defender “with a special algorithm”, but has not developed more. He stressed that the infection process requires administration privileges for the Windows user profile, and otherwise will not even run.
Most of the victims were located in Brazil, Cuba, Mexico, India, Nepal, South Africa and Egypt, added Kaspersky, but did not say how many people were affected.
“Although the execution of large languages models offers provides confidentiality advantages and reduces dependence on cloud services, it can also include substantial risks if the appropriate precautions are not taken,” said Kaspersky’s security researcher, Lisandro Ubiedo.
“Cybercriminals are increasingly exploiting the popularity of Open Source tools by distributing malicious packages and false installers that can secretly install Keyloggers, cryptomins or infostes. These false tools compromise sensitive data from a user and constitute a threat, especially when users have downloaded them from unprepared sources. ”
