Cybercriminals are exploiting DeepSeek’s growing popularity by distributing malware through fake sponsored Google ads, according to a Malwarebytes report1. The campaign impersonates DeepSeek’s branding to deliver an MSIL-based Trojan (detected as Malware.AI.1323738514) via malicious landing pages. This tactic capitalizes on users searching for the AI tool, highlighting the persistent abuse of search engine advertising for malware distribution.
Campaign Mechanics
The attackers register fake ads under Hebrew advertiser names like “תמיר כץ”, mimicking DeepSeek’s visual identity but with subtle discrepancies1. Clicking these ads redirects users to a fraudulent DeepSeek clone site that delivers the payload. Security researchers note the ads appear in Google’s sponsored results section, leveraging the platform’s credibility to bypass initial scrutiny3.
Malwarebytes provided comparative screenshots of the fake versus legitimate ads, showing:
- Identical DeepSeek logos and color schemes
- Mismatched advertiser URLs (e.g., deepseek-ai[.]com vs official domains)
- Hebrew text in advertiser profiles, unusual for an international AI service
Technical Indicators
The Trojan exhibits standard information-stealing capabilities, including credential harvesting and persistence mechanisms. Analysis reveals it uses:
| Component | Details |
|---|---|
| Delivery Vector | Fake Google Ads → Compromised landing page |
| Payload Type | MSIL-based Trojan (Malware.AI.1323738514) |
| Detection Rate | Low initial detection due to rapid obfuscation changes |
Mitigation Strategies
Security teams should implement these countermeasures:
“Users should avoid clicking sponsored results for software downloads and instead navigate directly to official domains or app stores,” recommends Malwarebytes researcher Jérôme Segura1.
Additional recommendations include:
- Deploy ad-blockers like Malwarebytes Browser Guard
- Train users to identify sponsored result indicators (e.g., “Ad” labels)
- Monitor for connections to known malicious domains associated with the campaign
Broader Implications
This campaign follows a pattern of abusing trending technologies in malicious ads, similar to recent attacks targeting ChatGPT and Bard users4. The operational tempo suggests an established threat actor group rather than opportunistic attackers, with Security Affairs noting the campaign’s sustained volume despite low technical sophistication2.
Google’s ad review systems appear insufficient to catch these impersonations before they reach users. Organizations should consider blocking sponsored search results at the network level for high-risk queries involving software downloads.
References
- “DeepSeek users targeted with fake sponsored Google ads that deliver malware,” Malwarebytes Blog, Mar. 26, 2025.
- “Crooks target DeepSeek users with fake sponsored Google ads to deliver malware,” SecurityAffairs, Mar. 27, 2025.
- “Fake DeepSeek Ads Spread Malware to Google Users,” Dark Reading, Mar. 28, 2025.
- “Malware Distributed via Fake DeepSeek Ads on Google,” SC Media, Mar. 27, 2025.
