New BrowserVenom malware being distributed via fake DeepSeek phishing website
Essential information
- Published
- 11/06/2025 15:14
- Modified
- 11/06/2025 16:45
- Tags
- 2025-06-11 browser manipulation browservenom deepseek llm malvertising phishing proxy
- Related entities
- 1 vulnerabilities (cve), 7 observables, 6 techniques (mitre), 1 malware, 8 others
Description
A new malicious campaign is distributing previously unknown malware through a fake DeepSeek-R1 LLM environment installer. The phishing site, promoted via Google Ads, mimics the official DeepSeek homepage. The attack installs BrowserVenom, an implant that forces all browsing traffic through a proxy controlled by threat actors, enabling network traffic manipulation and data collection. The infection process involves a fake CAPTCHA, exclusion of the user's folder from Windows Defender, and installation of a malicious certificate. BrowserVenom modifies browser settings across various platforms to route traffic through the attacker's proxy. Infections have been detected globally, with victims in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt.