Fraudsters distribute Trojan under the guise of DeepSeek

Kaspersky GReAT experts have discovered a phishing site masquerading as an official DeepSeek resource. It offers to download the DeepSeek-R1 model for PC, but instead users receive the BrowserVenom Trojan. This malware intercepts traffic, monitors network activity and installs a fake certificate to decrypt data. The attack affected users in Brazil, Mexico, India, Nepal, South Africa, Egypt and Cuba.

The attackers promote the fake site through search engine advertising. When a user searches for “deepseek r1,” they may be taken to a fake page that automatically checks the OS. If it’s Windows, a “Try Now” button appears. Once clicked, the malicious AI_Launcher_1.21.exe file is downloaded. The victim is then prompted to install legitimate Ollama or LM Studio tools to work with the neural network, but BrowserVenom is also installed. The Trojan installs a malicious certificate in the certificate store and configures browsers to force the attackers to use the proxy server, allowing them to intercept and decrypt confidential data.

"We have seen Trojans and malicious scripts that mimic clients for ChatGPT, Grok, and DeepSeek. Users in several countries around the world have encountered the new campaign. We do not rule out that attackers may use similar schemes in other regions, including Russia."

Dmitry Galov, Head of Kaspersky GReAT

Kaspersky experts recommend checking websites before entering confidential data and using security solutions.