BrowserVenom Spy Virus Discovered Masquerading as DeepSeek Application

Kaspersky Lab experts have discovered a new BrowserVenom virus that poses a serious threat to Windows users. The malware masquerades as the legitimate DeepSeek application — a popular AI chatbot.

Distribution Method

Cybercriminals use a sophisticated distribution scheme through Google search ads. They place advertisements that appear in search results for DeepSeek-related queries, particularly "deep seek r1". The attackers count on new users potentially not knowing the official domains of the generative AI system.

When clicking on the advertisement, users land on a fake DeepSeek website with a button to download the R1 model. The goal is to trick victims into downloading and running a malicious executable file.

Virus Operation Principle

After running the malicious file, a window appears on the screen mimicking DeepSeek R1 installation. In reality, the BrowserVenom virus is installed on the computer, which:

• Reconfigures installed browsers to route through a proxy server controlled by attackers
• Intercepts user's confidential data
• Tracks website browsing history
• Decrypts the victim's internet traffic

Infection Geography

Although the domain associated with the malicious campaign has been blocked, experts have recorded infection cases in several countries: Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt.

How to Protect Yourself

Specialists recommend:

• Always verify website authenticity before downloading files
• Ensure that the open website truly belongs to the sought developer
• Remember that running the DeepSeek R1 open model on PC requires several technical steps, not simply running one executable file

Researchers found Russian-language comments in the phishing site's source code, indicating the possible origin of the attackers.

Detailed information about this threat can be found on the official SecureList website.

If you have any problems, contact us - we'll help quickly and efficiently!