New BrowserVenom malware being distributed via fake DeepSeek phishing website

SUMMARY :

A new malicious campaign is distributing previously unknown malware through a fake DeepSeek-R1 LLM environment installer. The phishing site, promoted via Google Ads, mimics the official DeepSeek homepage. The attack installs BrowserVenom, an implant that forces all browsing traffic through a proxy controlled by threat actors, enabling network traffic manipulation and data collection. The infection process involves a fake CAPTCHA, exclusion of the user's folder from Windows Defender, and installation of a malicious certificate. BrowserVenom modifies browser settings across various platforms to route traffic through the attacker's proxy. Infections have been detected globally, with victims in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt.

OPENCTI LABELS :

phishing,malvertising,proxy,llm,deepseek,browser manipulation,browservenom


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


New BrowserVenom malware being distributed via fake DeepSeek phishing website