New malware posing as an AI assistant steals user data
Kaspersky Global Research & Analysis Team researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs. The previously unknown malware is delivered via a phishing site pretending to be the official DeepSeek homepage that is promoted via Google Ads. The goal of the attacks is to install BrowserVenom, a malware that configures web browsers on the victim's device to channel web traffic through the attackers servers, thus allowing to collect user data – credentials and other sensitive information. Multiple infections have been detected in Brazil, Cuba, Mexico, India, Nepal, South Africa and Egypt. DeepSeek-R1 is one of the most popular LLMs right now, and Kaspersky has previously reported attacks with malware mimicking it to attract victims. DeepSeek can also be run offline on PCs using tools like Ollama or LM Studio, and attackers used this in their campaign.
Users were directed to a phishing site mimicking the address of the original DeepSeek platform via Google Ads, with the link showing up in the ad when a user searched for 'deepseek r1'. Once the user reached the fake DeepSeek site, a check was performed to identify the victim's operating system. If it was Windows, the user was presented with a button to download the tools for working with the LLM offline. Other operating systems were not targeted at the time of research.
After clicking on the button and passing the CAPTCHA test, a malicious installer file was downloaded and the user was presented with options to download and install Ollama or LM Studio. If either option was chosen, along with legitimate Ollama or LM Studio installers, malware got installed in the system bypassing Windows Defender's protection with a special algorithm. This procedure also required administrator privileges for the user profile on Windows; if the user profile on Windows did not have these privileges, the infection would not take place.
After the malware was installed, it configured all web browsers in the system to forcefully use a proxy controlled by the attackers, enabling them to spy on sensitive browsing data and monitor the victim's browsing activity. Because of its enforcing nature and malicious intent, Kaspersky researchers have dubbed this malware BrowserVenom. 'While running large language models offline offers privacy benefits and reduces reliance on cloud services, it can also come with substantial risks if proper precautions aren't taken. Cybercriminals are increasingly exploiting the popularity of open-source AI tools by distributing malicious packages and fake installers that can covertly install keyloggers, cryptominers, or infostealers. These fake tools compromise a user's sensitive data and pose a threat, particularly when users have downloaded them from unverified sources,' comments Lisandro Ubiedo, Security Researcher with Kaspersky's Global Research & Analysis Team. To avoid such threats, Kaspersky recommends: • Check the addresses of the websites to verify that they are genuine and avoid scam. • Download offline LLM tools only from official sources (e.g., ollama.com, lmstudio.ai). • Avoid using Windows on a profile with admin privileges.
• Use trusted cyber security solutions to prevent malicious files from launching.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Gulf Insider
a day ago
- Gulf Insider
Nearly Half Of Saudis Spend Over Seven Hours Online Daily
Nearly half of Saudi Arabia's internet users, approximately 48.6 percent, spend seven hours or more online each day, according to the Saudi Internet 2024 report released by the Kingdom's Communications, Space and Technology Commission last week. The report highlights a sharp rise in the consumption of digital content and e-services, driven by the country's broader digital transformation agenda. The data shows that peak internet usage occurs between 9pm and 11pm, with March recording the highest overall usage levels throughout the year. Saturdays were found to be the most internet-active day of the week. Home remains the primary location for internet use, with 87.9 percent of users logging on from their residences. This is followed by internet use during travel, at 79.3 percent, and the workplace, where 41.7 percent of users reported being connected. In terms of devices, mobile phones dominate the digital landscape, with 99.4 percent of users accessing the internet via smartphones. Computers came in second at 50.7 percent, followed by tablets at 37.5 percent. Android holds the lion's share of mobile operating systems, accounting for 55 percent of usage, compared to 45 percent for iOS. Meanwhile, Windows remains the dominant platform for computers, used by 91.1 percent of users, far outpacing Macintosh (7.5 percent) and Linux (1.4 percent).
Biz Bahrain
a day ago
- Biz Bahrain
Kaspersky: ChatGPT-Mimicking Cyberthreats Surge 115% in Early 2025, SMBs Increasingly Targeted
In 2025, nearly 8,500 users from small and medium-sized businesses (SMBs) faced cyberattacks where malicious or unwanted software was disguised as popular online productivity tools, Kaspersky reports. Based on the unique malicious and unwanted files observed, the most common lures included Zoom and Microsoft Office, with newer AI-based services like ChatGPT and DeepSeek being increasingly exploited by attackers. Kaspersky has released threat analysis and mitigation strategies to help SMBs respond. Kaspersky analysts explored how frequently malicious and unwanted software are disguised as legitimate applications commonly used by SMBs, using a sample of 12 online productivity apps. In total, Kaspersky observed more than 4,000 unique malicious and unwanted files disguised as popular apps in 2025. With the growing popularity of AI services, cybercriminals are increasingly disguising malware as AI tools. The number of cyberthreats mimicking ChatGPT increased by 115% in the first four months of 2025 compared to the same period last year, reaching 177 unique malicious and unwanted files. Another popular AI tool, DeepSeek, accounted for 83 files. This large language model launched in 2025 immediately appeared on the list of impersonated tools. 'Interestingly, threat actors are rather picky in choosing an AI tool as bait. For example, no malicious files mimicking Perplexity were observed. The likelihood that an attacker will use a tool as a disguise for malware or other types of unwanted software directly depends on the service's popularity and hype around it. The more publicity and conversation there is around a tool, the more likely a user will come across a fake package on the internet. To be on the safe side, SMB employees – as well as regular users – should exercise caution when looking for software on the internet or coming across too-good-to-be-true subscription deals. Always check the correct spelling of the website and links in suspicious emails. In many cases these links may turn out to be phishing or a link that downloads malicious or potentially unwanted software', says Vasily Kolesnikov, security expert at Kaspersky. Another cybercriminal tactic to look for in 2025 is the growing use of collaboration platform brands to trick users into downloading or launching malware. The number of malicious and unwanted software files disguised as Zoom increased by nearly 13% in 2025, reaching 1,652, while such names as 'Microsoft Teams' and 'Google Drive' saw increases of 100% and 12%, respectively, with 206 and 132 cases. This pattern likely reflects the normalization of remote work and geographically distributed teams, which has made these platforms integral to business operations across industries. Among the analyzed sample, the highest number of files mimicked Zoom, accounting for nearly 41% of all unique files detected. Microsoft Office applications remained frequent targets for impersonation: Outlook and PowerPoint each accounted for 16%, Excel for nearly 12%, while Word and Teams made up 9% and 5%, respectively. Share of unique files with names mimicking the popular legitimate applications in 2024 and 2025 The top threats targeting small and medium businesses in 2025 included downloaders, trojans and adware. Phishing and Spam Apart from malware threats, Kaspersky continues to observe a wide range of phishing and scam schemes targeting SMBs. Attackers aim to steal login credentials for various services — from delivery platforms to banking systems — or manipulate victims into sending them money through deceptive tactics. One example is a phishing attempt targeting Google Accounts. Attackers promise potential victims to increase sales by advertising their company on X, with the ultimate goal to steal their credentials. Beyond phishing, SMBs are flooded with spam emails. Not surprisingly, AI has also made its way into the spam folder — for example, with offers for automating various business processes. In general, Kaspersky observes phishing and spam offers crafted to reflect the typical needs of small businesses, promising attractive deals on email marketing or loans, offering services such as reputation management, content creation, or lead generation, and more. Learn more about the cyber threat landscape for SMBs on Securelist. To mitigate threats targeting businesses, their owners and employees are advised to implement the following measures: ● Use specialized cybersecurity solutions that provide visibility and control over cloud services (e.g., Kaspersky Next). ● Define access rules for corporate resources such as email accounts, shared folders, and online documents. ● Regularly backup important data. ● Establish clear guidelines for using external services. Create well-defined procedures for implementing new software with the involvement of IT and other responsible managers.
Syyaha
4 days ago
- Syyaha
ManageEngine Launches MSP Central: A Platform Built for Strengthening Modern MSP Infrastructure
RIYADH, Saudi Arabia – 25th June, 2025 — ManageEngine, a division of Zoho Corporation and a leading provider of enterprise IT management solutions, today announced the launch of MSP Central—a unified platform designed to help MSPs streamline service delivery, device management, threat protection, and infrastructure monitoring from a single focuses on addressing specific operational models and business challenges of MSPs, developing tools that support multi-client environments, technician efficiency, and service scalability. MSP Central brings together these capabilities into a unified platform tailored to how MSPs deliver and manage IT services today. Meeting the Evolving Needs of MSPs With the global managed services market projected to reach $511 billion by 2029, MSPs are facing mounting pressure to scale operations without compromising service quality so as to offer a strategic value to customers and differentiate from the competition.'We had technicians switching between multiple consoles just to resolve a single client incident—a real drag on time and ticket volume,' said Edgar Martínez, business manager at 'EvolutionIT' from Chile, an early adopter of MSP Central. 'We were looking for a tool that could bring together everything our team needs without adding complexity or locking us into a rigid stack.' MSP Central directly addresses this fragmentation by offering a unified platform to manage day-to-day operations across clients—from technician workflows and asset visibility to endpoint protection and network health monitoring. Its modular, cloud-native architecture supports native multi-tenancy, fine-grained role-based access control, and seamless integrations with both Zoho apps and third-party tools. This gives MSPs the flexibility to adopt only the modules they need and expand at their own pace. Features Designed to Support MSP Operations 'With MSP Central, we're bringing together the best of ManageEngine's proven IT management and security capabilities in a platform designed from the ground up for MSPs,' said Mathivanan Venkatachalam, vice president at ManageEngine. 'While each of these modules stands strong on its own, together they form a truly unified platform—delivering a single, connected experience for service providers. This approach lets MSPs consolidate their operations, eliminate tool sprawl, and enable their teams to work more efficiently and effectively—all from a unified console.' The platform includes the following capabilities: Modular architecture: Adopt only the components required—no bundling or mandatory licensing. Remote monitoring and management (RMM): Manage devices across clients with patching, asset visibility, and proactive remediation in a multi-tenant setup. Professional services automation (PSA): Integrate ticketing, contract management, SLAs, time tracking, and billing in a unified workflow. Advanced server monitoring: Monitor infrastructure across Windows, Linux, databases, and virtual systems with automated alerts and deep metrics. Endpoint security: Provide comprehensive protection against evolving cyberthreats with vulnerability management, device and application control, anti-ransomware, and browser security. AI-powered automation: Accelerate workflows with ticket summarization, sentiment detection, alert correlation, and predictive thresholds. Third-party integrations: Connect seamlessly with over 20 tools across IT, security and business ecosystems via open APIs and pre-built connectors. Marketplace ready: Built for integration into cloud marketplaces and partner ecosystems. Looking AheadMSP Central marks the foundation of ManageEngine's long-term MSP platform strategy, which supports the full spectrum of managed services. Future enhancements will focus on expanding into adjacent domains like SIEM, privileged access management, and advanced analytics, helping MSPs and MSSPs manage security and compliance alongside operations. The platform will also evolve to support deeper integrations with business applications and partner ecosystems, empowering providers to streamline service delivery end to end.'Our goal is to give MSPs a platform that adapts to their growth, supports their preferred tools, and eliminates the friction of fragmented systems. We're starting with RMM, PSA, and advanced server monitoring, but this is just the beginning. Our vision is to bring all of ManageEngine's standalone MSP tools together under this platform, delivering depth, flexibility, and scalability that helps providers grow alongside their clients' needs. MSP Central is designed to support MSPs for the long haul,' added and AvailabilityMSP Central is available globally starting today. The platform supports flexible modular pricing so MSPs can pay for only what they need. Start your free trial now at:
