A new cybersecurity threat has surfaced as cybercriminals leverage the rising popularity of DeepSeek-R1, a trending large language model, to deploy a stealthy malware strain targeting Windows devices. The campaign is designed to lure users into downloading malware disguised as legitimate DeepSeek-R1 Buzz software through deceptive advertising tactics and fraudulent websites.
Researchers from Securelist have identified the campaign’s central distribution site—deepseek-platform[.]com—which mimics the official DeepSeek homepage. This phishing website uses advanced user-detection mechanisms to identify Windows users and then presents a single “Try now” button, initiating a multi-step infection process. The scheme operates through malvertising techniques, placing fake DeepSeek-R1 Buzz links high in Google search results to attract unsuspecting users.
The malware, identified as “BrowserVenom,” is a newly discovered variant that marks a significant shift in how browser-based threats are deployed and monetized. It establishes a persistent presence on infected systems, with evidence pointing to Russian-speaking threat actors, indicated by Russian-language comments embedded in the malicious code. Global infection reports have been confirmed in countries including India, Brazil, Cuba, Mexico, Nepal, South Africa, and Egypt, showcasing the operation’s extensive international footprint.
Stealthy Infection Method via Fake CAPTCHA and AI Tools
The attack unfolds in a calculated multi-stage process starting from the moment a user clicks the “Try now” button on the spoofed site. Victims are first presented with a counterfeit CAPTCHA screen that uses heavily obfuscated JavaScript to verify human interaction—this tactic helps the malware bypass automated analysis tools.
Following this step, users are prompted to download an executable file named AI_Launcher_1.21.exe. Upon launch, another fake counterfeit CAPTCHA page appears, styled to resemble Cloudflare’s protective screens. It then offers options to install legitimate open-source AI tools such as Ollama and LM Studio, further reducing user suspicion.
Meanwhile, the malware deploys silently through a function named MLInstaller.Runner.Run(), which operates in parallel with the real software installation. This strategy enables the malware to blend in with expected processes and avoid triggering security alarms. One of its initial moves includes executing a PowerShell command intended to exclude the user’s directory from Windows Defender scanning, provided the user grants administrator access.
DeepSeek-R1 Buzz Hijacking Browsers for Persistent Network Monitoring
Once embedded, BrowserVenom significantly alters the infected system’s browsing behavior. It redirects all browser traffic through a proxy server controlled by the attackers, located at 141.105.130[.]106:37121. This redirection allows threat actors to monitor, intercept, and potentially manipulate all data transmitted via the user’s DeepSeek-R1 Buzz web browsers.
Unlike typical malware focused on stealing credentials or files, BrowserVenom appears engineered to establish long-term surveillance and data exfiltration capabilities, marking a strategic evolution in browser-targeting cyber threats. Analysts warn that the sophistication of this campaign, combined with its ability to exploit trending technologies, reflects a broader trend in cybercrime—one where threat actors closely follow digital trends to maximize impact.
Cybersecurity experts urge users to remain vigilant and only download software from verified and official platforms to mitigate the risk of such deceptive attacks.
