A growing number of websites claiming to offer downloads of new-kid-on-the-block LLM DeepSeek are deceiving users into inadvertently installing malware, according to cybersecurity experts at McAfee Labs.
The malicious files, masquerading as legitimate DeepSeek software, are being promoted through deceptive installers named ‘DeepSeek-R1.Leaked.Version.exe’ or ‘DeepSeek-VL2.Developer.Edition.exe’, but their true purpose is far more sinister.
Once downloaded, these files connect the user’s system to remote servers controlled by cybercriminals, paving the way for a ‘cocktail’ of malicious software.
This includes keyloggers, password stealers, and even coin miners that silently exploit the victim’s computer resources for illicit cryptocurrency mining.
A keylogger is a form of malware, capable of recording every keystroke made by the user, which allows attackers to capture sensitive information such as passwords, credit card details, and personal communications.
From Macbeth to the dark net: One English grad’s journey into cyber intelligence
Meanwhile, coin miners hijack the processing power of a victim’s machine to mine cryptocurrency, causing the computer to slow down significantly, all while enriching the attacker at the user’s expense.
The popularity of DeepSeek—an AI from China touted for its cost-efficiency and ability to run on less advanced chips than ChatGPT—has fuelled a surge in these scams as cybercriminals seek to exploit eager users.
In a further effort to deceive victims, these fraudulent websites have become more sophisticated, employing fake CAPTCHA puzzles to convince users of their legitimacy.
They also employ additional tactics, such as tricking users into pasting secret commands into the Windows Run dialogue, which disables antivirus protections and enables malware installation.
McAfee Labs experts advise users to always verify before downloading by sticking to official websites and double-checking before they click the download button.
