- Kaspersky finds that the Fake Deepseek app is promoted via Google ads
- App bundle legitimate software with malware
- Malware relays sensitive data to striker -controlled servers
CyberSecurity scientists from Kaspersky have seen a new malware -Distribution campaign that abuses Deepseek as a lure.
In a report, the experts say unidentified hackers created a counterfeit version of the Deepseek-R1 site that they hosted Ollama or LM Studio, tools that allow users to run large language models (LLM) locally on the computer without needing an internet connection.
However, the tools were assembled with a piece of malware called the browser server, which configures web browsers to channel all traffic through the strikers’ server. As a result, all sensitive data, such as credentials, moves first through malicious servers where they can be easily picked up.
Browser Servine
The site was advertised via Google Ads, and as the victims clicked on the download button, the site first checks which operating system they use and if they are on Windows -earn Malware.
Others us users were not targeted -but Windows users had to pass a CAPTCHA, after which they were served malware.
Kaspersky says browser server bypasses Windows Defender’s protection “with a special algorithm” but not further elaborated. It emphasized that the infection process requires admin privileges for the Windows user profile and otherwise not even running.
Most victims were located in Brazil, Cuba, Mexico, India, Nepal, South Africa and Egypt, Kaspersky added, but did not say how many people were affected.
“While large language models are offline, offering benefits of privacy and reducing the dependence on cloud services, it can also come with significant risks if the right precautions are not taken, commented Kaspersky’s security researcher Lisandro Ubiedo.
“Cyber criminals are increasingly utilizing the popularity of open source AI tools by distributing malicious packages and fake installers that can hide keyloggers, cryptominers or infostealers. These fake tools compromise a user’s sensitive data and pose a threat, especially when users have downloaded them from non-verified sources.”
