The previously unknown malware is delivered via a phishing site pretending to be the official DeepSeek homepage that is promoted via Google Ads.

The goal of the attacks is to install BrowserVenom, a malware that configures web browsers on the victim’s device to channel web traffic through the attackers servers, thus allowing to collect user data – credentials and other sensitive information.

Multiple infections have been detected in Brazil, Cuba, Mexico, India, Nepal, South Africa and Egypt.

DeepSeek-R1 is one of the most popular LLMs right now, and Kaspersky has previously reported attacks with malware mimicking it to attract victims.

DeepSeek can also be run offline on PCs using tools like Ollama or LM Studio, and attackers used this in their campaign.

Users were directed to a phishing site mimicking the address of the original DeepSeek platform via Google Ads, with the link showing up in the ad when a user searched for “deepseek r1”. Once the user reached the fake DeepSeek site, a check was performed to identify the victim’s operating system.

If it was Windows, the user was presented with a button to download the tools for working with the LLM offline. Other operating systems were not targeted at the time of research.

After clicking on the button and passing the CAPTCHA test, a malicious installer file was downloaded and the user was presented with options to download and install Ollama or LM Studio.

If either option was chosen, along with legitimate Ollama or LM Studio installers, malware got installed in the system bypassing Windows Defender’s protection with a special algorithm.

This procedure also required administrator privileges for the user profile on Windows; if the user profile on Windows did not have these privileges, the infection would not take place.

After the malware was installed, it configured all web browsers in the system to forcefully use a proxy controlled by the attackers, enabling them to spy on sensitive browsing data and monitor the victim’s browsing activity.

Because of its enforcing nature and malicious intent, Kaspersky researchers have dubbed this malware BrowserVenom.

“While running large language models offline offers privacy benefits and reduces reliance on cloud services, it can also come with substantial risks if proper precautions aren’t taken. Cybercriminals are increasingly exploiting the popularity of open-source AI tools by distributing malicious packages and fake installers that can covertly install keyloggers, cryptominers, or infostealers. These fake tools compromise a user’s sensitive data and pose a threat, particularly when users have downloaded them from unverified sources,” comments Lisandro Ubiedo, security researcher with Kaspersky’s Global Research & Analysis Team.

To avoid such threats, Kaspersky recommends:

• Check the addresses of the websites to verify that they are genuine and to avoid a scam.
• Download offline LLM tools only from official sources (e.g., ollama.com, lmstudio.ai).

• Avoid using Windows on a profile with admin privileges.
• Use trusted cyber security solutions to prevent malicious files from launching.

However, the possibility of a surge in cryptomining attacks persists and could be directly correlated to cryptocurrency exchange rates.

Cryptomining is a process during which users mining cryptocurrencies utilise computers, data, codes, and calculations to validate cryptocurrency transactions and earn cryptocurrency as compensation for their work.

Cryptomining is highly resource-consuming and hence expensive to do, which is why cybercriminals seek access to others’ machines to conduct mining on them.

Attackers can use compromised devices to generate cryptocurrency without the device owners’ knowledge.

They can steal resources, for example, by sending endpoint users a legitimate-looking email that encourages them to click on a link which runs a code that places a cryptomining script or program on the victim’s computer.

Another method is to inject a script on a website or an ad that is delivered to multiple websites. Once victims visit the website or the infected ad pops up in their browsers, the script automatically executes. No code is stored on the victims’ computers.

In 2019, eight separate apps that secretly mined cryptocurrency with the resources of whoever downloaded them were removed from the Microsoft Store. In 2018, cryptojacking code was discovered within the Los Angeles Times’ Homicide Report page. Also in 2018 the CoinHive miner was found to be running on YouTube Ads through Google’s DoubleClick platform.

In the African regions there was a downward trend in cryptomining attacks, however, in South Africa the dynamics were multidirectional. The number of attempts by attackers to run cryptominers on home users’ machines decreased by 11% in Q2 2022 compared to Q1, yet, the number of home computers that were affected by cryptomining software increased by 2% over the same time period.

In Nigeria, the number of attempts to run cryptominers on home computers decreased by 16% in Q2 2022 compared to Q1, and the number of computers affected by cryptominers decreased by 10%.

In Kenya, there was a milder decrease: 3% for attempts to run cryptominers on home machines and 6% for the affected computers.

“Before, cryptomining attacks were primarily an issue for endpoints, targeting desktops and laptops, sometimes – Android smartphones. Today, cryptojacking is expanding to include servers, network, and even IoT devices. Servers are usually higher powered than ordinary PCs and allow for greater mining capacity,” comments David Emm, Principal Security Researcher at Kaspersky. “We see different levels of mining activity in different regions – this is because of different levels of cryptocurrency adoption in countries, but also because of the fluctuations of cryptocurrency exchange rates. Once crypto rises in value, the activity of attackers using miners increases.”

To protect from cryptomining attacks, Kaspersky experts recommend home and enterprise users:

· Use reliable endpoint cybersecurity, such as Kaspersky Total Security for home users and Kaspersky Endpoint Security for Business together with Endpoint Detection and Response for enterprise users.

· Install the latest software updates and patches for your operating system and all applications — especially web browsers.

· Be alert to the latest cryptojacking trends: cybercriminals are constantly modifying code and coming up with new delivery methods to embed updated scripts and programs onto your computer system. Organisations could save resources by investing in a managed detection and response solution, such as Kaspersky MDR, for a team of professional cybersecurity staff to be proactive and stay on top of the latest cybersecurity threats.

· Use industrial cybersecurity solutions to prevent cryptomining on smart manufacturing devices and IoT devices.

· Use browser extensions designed to block cryptojacking: minerBlock, No Coin, and Anti Miner. They install as extensions in some popular browsers.

· Disable JavaScript: when browsing online, disabling JavaScript can prevent cryptojacking code from infecting your computer.