![How to Use AI as a Productivity Tool with Mike Kaput [MAICON 2025 Speaker Series]](https://www.marketingaiinstitute.com/hubfs/v2MAICON-Speaker_Series.png)
![[The AI Show Episode 152]: ChatGPT Connectors, AI-Human Relationships, New AI Job Data, OpenAI Court-Ordered to Keep ChatGPT Logs & WPP’s Large Marketing Model](https://www.marketingaiinstitute.com/hubfs/ep%20152%20cover.png)
![[FREE EBOOKS] Natural Language Processing with Python, Microsoft 365 Copilot At Work & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
_designer491_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![The new Google TV setup process is impressively fast and easy [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/06/Google-TV-logo.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=logo}
![Apple’s latest CarPlay update revives something Android Auto did right 10 years ago [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/06/carplay-live-activities-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![3DMark Launches Native Benchmark App for macOS [Video]](https://www.iclarified.com/images/news/97603/97603/97603-640.jpg)
![Craig Federighi: Putting macOS on iPad Would 'Lose What Makes iPad iPad' [Video]](https://www.iclarified.com/images/news/97606/97606/97606-640.jpg)
Threat Actors Leverages DeepSeek-R1 Popularity to Attack Users Running Windows Devices
Cybercriminals have begun exploiting the surge in popularity of DeepSeek-R1, one of the most sought-after large language models currently available, to distribute a sophisticated new malware strain targeting Windows users. The malicious campaign uses the artificial intelligence chatbot’s growing demand as a lure to trick unsuspecting users into downloading what appears to be legitimate DeepSeek […] The post Threat Actors Leverages DeepSeek-R1 Popularity to Attack Users Running Windows Devices appeared first on Cyber Security News.
Cybercriminals have begun exploiting the surge in popularity of DeepSeek-R1, one of the most sought-after large language models currently available, to distribute a sophisticated new malware strain targeting Windows users.
The malicious campaign uses the artificial intelligence chatbot’s growing demand as a lure to trick unsuspecting users into downloading what appears to be legitimate DeepSeek software but instead delivers a dangerous payload designed to compromise their browsing activities.
The attack begins with a carefully orchestrated malvertising campaign that places fraudulent websites at the top of Google search results when users search for “deepseek r1”.
The primary phishing site, deepseek-platform[.]com, masquerades as the official DeepSeek homepage and employs sophisticated detection mechanisms to identify Windows users before presenting them with a singular “Try now” button that initiates the infection chain.
.webp)
This approach demonstrates the threat actors’ understanding of user behavior and their ability to monetize trending technology through deceptive tactics.
Securelist analysts identified this campaign as distributing a previously unknown malware variant dubbed “BrowserVenom,” which represents a significant evolution in browser-targeting malware.
The researchers discovered evidence suggesting Russian-speaking threat actors are behind the operation, with Russian-language comments found embedded within the malicious website’s source code.
The geographic distribution of infections spans multiple continents, with confirmed cases detected in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt, indicating a global reach that capitalizes on DeepSeek’s international popularity.
The malware’s impact extends beyond traditional data theft, as BrowserVenom specifically targets users’ browsing infrastructure to establish persistent network monitoring capabilities.
Once installed, the malware reconfigures all browser instances to route traffic through an attacker-controlled proxy server located at 141.105.130[.]106:37121, enabling cybercriminals to intercept, monitor, and manipulate all network communications.
Infection Mechanism and Technical Implementation
The infection process demonstrates remarkable sophistication through its multi-stage deployment and social engineering components.
.webp)
After users click the initial “Try now” button, they encounter a fake CAPTCHA screen powered by obfuscated JavaScript designed to verify human interaction while avoiding automated security analysis.
Upon successful CAPTCHA completion, victims download AI_Launcher_1.21.exe, which presents another deceptive Cloudflare-style CAPTCHA before offering installation options for legitimate AI frameworks like Ollama and LM Studio.
The malware’s core functionality executes through the MLInstaller.Runner.Run() function, which operates concurrently with legitimate software installation to avoid detection.
This function first attempts to exclude the user’s directory from Windows Defender protection using a hardcoded PowerShell command that requires administrator privileges to succeed.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
The post Threat Actors Leverages DeepSeek-R1 Popularity to Attack Users Running Windows Devices appeared first on Cyber Security News.
