Introduction to DeepSeek-R1 and the Threat
DeepSeek-R1, one of the most renowned language models currently available, has not only drawn attention from AI developers and enthusiasts but also from malicious actors who have used it as a hook for increasingly sophisticated cyberattacks, according to a Kaspersky report.
The Phishing and Malicious Advertising Campaign
This threat aims to deceive users of all experience levels through phishing pages and malicious advertising campaigns, infecting them with a known implant called “BrowserVenom.”
The attackers disguise the malware as a legitimate installer for DeepSeek-R1, directing victims to a fake website at https://www.eleconomista.com.mx/deepseek-platform, promoted through search engine ads for “DeepSeek R1.”
Upon entering the site, users receive an installer named AI_Launcher_1.21.exe that, when executed, displays CAPTCHA-like screens to create a false sense of legitimacy.
The User Trap
After clicking the supposed “Test Now” button and completing the CAPTCHA, victims are directed to a second screen offering to install tools like Ollama or LM Studio. However, alongside these legitimate installers, the malicious component runs in the background, altering system configurations to ensure persistence and gain elevated privileges.
Exclusions in Windows Defender and Additional Malware Download
One of the malware’s initial steps is attempting to exclude the user’s folder from Windows Defender protection using PowerShell commands and an AES-256-CBC decryption algorithm. This action aims to evade future detections if the victim has administrator privileges.
Subsequently, it downloads an additional executable from a dynamically generated domain to establish a backdoor for future attacks.
BrowserVenom Implantation
“BrowserVenom” is the final component of this threat, which modifies the configuration of all installed browsers to force them to use a proxy controlled by the attackers. This allows them to intercept, monitor, and alter the victim’s internet traffic, exposing critical data while browsing online.
To ensure this operation’s success, the malware inserts a certificate into Windows’ Trusted Root Authorities store and modifies shortcuts for Chromium-based browsers and makes changes to Gecko-based browser settings to ensure all requests pass through the malicious proxy.
A Global Threat on the Rise
Research around this threat has revealed infections in various countries, including Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. This confirms that we are dealing with a global operation continually gaining victims through phishing and malicious advertising tactics.
Recommendations for Users
- Verify that visited pages are official.
- Carefully examine the website’s address and certificate before downloading anything.
- Avoid clicking on unverified search results to prevent such attacks.
As AI and its related tools gain prominence, caution and digital security culture become the primary allies in safeguarding users’ personal and professional information.
