Phishing sites posing as DeepSeek downloads drop a proxy backdoor

Kaspersky is warning LLM users of a new malicious campaign distributing a previously unknown malware, dubbed “BrowserVenom,” through a fake DeepSeek-R1 environment installer.

According to findings by the cybersecurity and antivirus firm, users are being tricked into downloading the malware from phishing sites posing as the official DeepSeek homepage.

“Users of all experience levels look for chatbot websites on search engines, and threat actors have started abusing the popularity of LLMs,” Kaspersky researchers said in a blog post. “The website (phishing site with BrowserVenom malware) was promoted in the search results via Google Ads.”

The attacks deploy BrowserVenom, a malicious implant that reroutes all browser traffic through an actor-controlled proxy, allowing them to manipulate traffic and collect data.

Malicious Proxy posing as DeepSeek client

The phony DeepSeek-R1 download pages trick users into installing a desktop client that doesn’t exist. What they get instead is a custom browser backdoor rerouting web traffic.

“We dubbed the implant BrowserVenom because it reconfigures all browsing instances to force traffic through a proxy controlled by the threat actors,” researchers added. “This enables them to sniff sensitive data and monitor victims’ browsing activity while decrypting their traffic.”

Once installed, BrowserVenom silently modifies proxy settings for Chromium as well as Gecko-based browsers. It ensures persistence by updating configuration files that reroute all HTTP/HTTPS traffic to an external proxy, enabling attackers to snoop, inject, and manipulate browsing activity in real-time, without alerting the user or triggering browser warnings.

For Chromium-based browsers like Chrome, Microsoft Edge, BrowserVenom appends a proxy-server argument and alters existing LNK shortcut files. For Gecko-based browsers such as Mozilla Firefox and Tor, the implant modifies the user’s profile preferences to achieve the same effect.

Researchers said that the analysis of the source code of the phishing and distribution sites revealed functional comments written in Russian, an indicator that the infrastructure was likely developed by Russian-speaking threat actors.

Kaspersky detected multiple infections in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt.

Using CAPTCHA as a throw-off

To add legitimacy to their operation and lower user suspicion, the attackers embedded fake CAPTCHA challenges twice in the attack chain. The first appears when a user clicks the “Try now” button on the malicious DeepSeek download website, triggering a decoy CAPTCHA mimicking standard verification.

Interestingly, the CAPTCHA code does verify if the user is a human. “Clicking this button will take the user to a CAPTCHA anti-bot screen,” researchers noted. “The code for this screen is obfuscated JavaScript, which performs a series of checks to make sure that the user is not a bot.”

After a successful completion of the CAPTCHA, the user is redirected to a page with the “Download” button for the malicious installer (AI-Launcher-1.21.exe). This malicious installer, which ultimately launches BrowserVenom, runs a binary that invokes the second CAPTCHA, requiring users to tick a box marked “I am not a robot”, mimicking a Cloudflare-themed verification.

Checking through that box leads the user to a screen prompting them to choose between an “Ollama” or an “LM Studio” download, platforms that allow running DeepSeek locally on user machines. Irrespective of the choice, BrowserVenom is downloaded and run. Threat actors are increasingly turning CAPTCHA screens into social engineering bait, using them to mask malware delivery behind a guise of legitimacy. Earlier this month, a phishing campaign was revealed faking Cloudflare’s Turnstile CAPTCHA to trick users into copy-pasting malicious commands.