Security researchers have uncovered a large-scale malware campaign that tricks users with fake DeepSeek‑R1 ads. The malware, named BrowserVenom, was distributed through bogus installers downloaded from malicious websites showing up in Google search results.
Users seeking the popular DeepSeek AI tool encountered ads leading to a fake DeepSeek page. They were prompted through a fake installer named AI_Launcher_1.21.exe, which was cloaked in legitimate branding and even featured mock CAPTCHA screens. Once installed, the software secretly infects Windows machines and corrupts user browsing sessions.
How BrowserVenom Operates Behind the Scenes
BrowserVenom alters browser configurations to reroute all internet traffic through proxies controlled by attackers. It installs rogue certificates and tweaks shortcut files and preference settings. These changes allow cybercriminals to intercept encrypted traffic, capture credentials, read financial details, and spy on private messages.
Further analysis revealed that the installers originate from phishing domains with hidden scripts and developer notes in Russian, suggesting a Russian-speaking threat group. Victims have been reported in countries as diverse as Brazil, India, Nepal, South Africa, Cuba, Mexico, and Egypt.
Malvertising Amplifies the Threat
Attackers leveraged malvertising by purchasing Google Ads that targeted queries for DeepSeek-R1. This tactic placed malicious links at the top of search results, luring users who clicked thinking they were downloading the legitimate chatbot. After the campaign gained traction, Google reportedly disabled the ad placements.
While some victims may initially download legitimate AI tools like Ollama or LM Studio, the payload secretly installs BrowserVenom, who then works silently in the background.
Rapid Global Spread and Increasing Risk
In just 30 days, over 270,000 websites were infected through a related JavaScript malware campaign, suggesting a broader strategy of injecting malicious code into trusted domains. BrowserVenom continues this trend with client-side browser poisoning, escalating user risk in the process.
Expert Advice to Avoid BrowserVenom Infection
Additionally, security experts advise users to refrain from clicking on sponsored results when searching for AI tools. Avoid downloading any software from unofficial sites. Instead, rely on trusted developer websites and verify SSL certificates carefully.
Additional precautions include disabling suspicious browser redirects, regularly scanning for proxy settings. Also, using reputable endpoint protection to detect modifications made by malware such as BrowserVenom.
Final Take
The BrowserVenom campaign highlights how quickly hackers adapt to trends in AI. By exploiting growing interest in tools like DeepSeek‑R1, attackers deploy potent proxy backdoors that go undetected.
In an era where malicious ads can deliver malware directly through search results, strong vigilance and cautious clicking remain essential defenses.