A new malvertising campaign is targeting users searching for DeepSeek, a widely used AI tool. The attackers place fake sponsored ads at the top of Google search results, imitating official DeepSeek links but redirecting users to harmful websites.
These fake websites are designed to look nearly identical to the real DeepSeek platform. When users attempt to download the software, they are served a Trojan written in Microsoft Intermediate Language (MSIL), making it capable of running on different platforms, including macOS.
The malware, detected by AI-based systems as “Malware.AI.1323738514,” communicates with command-and-control servers through persistent network requests. Its presence indicates a highly organized campaign with a focus on social engineering.
One of the fake domains used in the attack is “deepseek-ai-soft.com.” The site includes visuals and text mimicking real AI tools, promoting features like “DeepSeek-R1” and slogans comparing it to other well-known models to encourage downloads.
Network analysis shows that the malware uses a structured communication method with remote servers, such as:
A related campaign used the domain “deepseakr.com” and was associated with ads from Hebrew-language publishers, pointing to multiple approaches or regional targeting.
Users are advised to avoid clicking on sponsored search results, use ad-blockers, and access trusted platforms directly via known URLs to reduce exposure to similar threats.
