We review vendors based on rigorous testing and research, and also take into your and our commission with providers. Some providers are owned by our parent company.

Learn more

Advertising Disclosure

Google Ads Used To Spread Fake DeepSeek Malware

Image by Solen Feyissa, from Unsplash

Google Ads Used To Spread Fake DeepSeek Malware

Reading time: 2 min

Last Updated: Jun 12, 2025

Written by Kiara Fabbri Multimedia Journalist
Fact-Checked by Sarah Frazier Content Manager

Cybersecurity researchers have identified a dangerous new malware campaign, which targets s of the popular AI chatbot DeepSeek-R1.

In a rush? Here are the quick facts:

Fake DeepSeek-R1 websites are spreading malware through Google Ads.
Victims a malicious installer disguised as a chatbot.
Malware installs “BrowserVenom,” which hijacks and monitors web traffic

Cybersecurity researchers at Google Ads to promote a fake version of the site, taking advantage of the model’s popularity to trick s into ing harmful software.

The malicious ad directs s to ‘‘deepseek-platform[.]com’’ – a fake website that mimics the official DeepSeek site. s who click the “Try now” button are presented with a fake CAPTCHA before being asked to what appears to be the DeepSeek installer. The file, named ‘‘AI_Launcher_1.21.exe’’, is actually a sophisticated malware chain.

The installer opens a second fake CAPTCHA, then offers to install known AI tools like Ollama and LM Studio. But in the background, it runs hidden code that begins the infection. First, it tries to by antivirus software by excluding the ’s folder from Windows Defender. Then, it attempts to more malware from another untrustworthy domain.

The final payload, known as BrowserVenom, modifies browser configurations to redirect all web traffic through proxy servers operated by the attackers. This allows them to monitor data and online activities. The malware adds a fake certificate to the system while modifying browser shortcuts and settings in Firefox and Tor.

The researchers note that he attack has already targeted s in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt.

“As we have been reporting, DeepSeek has been the perfect lure for attackers to attract new victims,” researchers said. They warn s to double-check website URLs and certificates before ing software, even from search results, to avoid falling into these traps.

Kiara Fabbri

Written by: Kiara Fabbri

Hi, I’m Kiara Fabbri a Tech News Writer at WizCase. I'm a multimedia journalist with a keen interest in innovative and immersive news storytelling. Fluent in three languages—Italian, English, and Spanish—I'm deeply engaged in all facets of news reporting. I am currently undertaking a Ph.D. exploring VR applications in journalism. Following my studies in psychology (BSc) and political psychology (MSc), I embarked on a three-year journey across South America. During this time, I undertook a 4000 km solo bicycle trip from Chile to Brazil. There, I camped, cooked on the road, and volunteered in various facilities. It was during these travels that I discovered my ion for journalism. Subsequently, I pursued a Master's program in journalism innovation and enterprise. My career in journalism has seen me produce VR immersive experiences covering a range of topics. These include documenting an Anti Militaristic raid of a NATO Base, life in the Brazilian Favelas, the recent violent protest clashes in Buenos Aires and finally social projects run by Skaters in the Argentinian ghettos. In addition to my journalistic endeavours, I also practice parkour, a discipline I have cultivated over several years now. I love to make the most of this skill in my journalistic style; for example, it has enabled me to capture dynamic footage from heights during the recent violent clashes in Buenos Aires. There, I scaled heights and employed a long stick on my camera to create aerial 360° views. Through my dedication to pushing the boundaries of journalism, I am committed to amplifying voices, sparking meaningful conversations, and driving positive change in the world.

Did you like this article? Rate it!

I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot

0 Voted by 0 s

Title

Your email Please enter a valid email address.

Comment

Thanks for your

Please wait 5 minutes before posting another comment.

Comment sent for approval.

Leave a Comment

Show more...

Share &

WizCase is reader-ed so we may receive a commission when you buy through links on our site. You do not pay extra for anything you buy on our site — our commission comes directly from the product owner. Some providers are owned by our parent company. Learn moreWizcase was established in 2018 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, Intego and Private Internet Access which may be ranked and reviewed on this website. The reviews published on Wizcase are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into the technical capabilities and qualities of the product together with its commercial value for s. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article..