Weaponized Google Ads Targeting DeepSeek Users with Malware

28.03.2025

Cybercriminals have launched an advanced attack campaign leveraging Google’s sponsored search results to distribute malware to users searching for DeepSeek, a rising AI platform. These attackers create deceptive advertisements that mimic legitimate DeepSeek ads, tricking users into visiting malicious websites designed to deliver malware.

When users search for DeepSeek on Google, they may encounter fraudulent sponsored results that appear credible at first glance. These ads redirect victims to fake websites closely resembling the official DeepSeek platform, where download buttons deliver a Trojan written in Microsoft Intermediate Language (MSIL), potentially affecting both Windows and macOS users.

Malwarebytes researchers identified the malicious payload as “Malware.AI.1323738514” using their AI-powered detection system. The attackers seem to be outbidding legitimate advertisers for top placement in Google’s search results, suggesting a highly profitable operation.

Further analysis revealed that the malware communicates with command-and-control servers via persistent network connections. Researchers also discovered similar campaigns using different fake domains, indicating a broader strategy targeting AI-related searches.

To mitigate risks, security experts recommend avoiding sponsored search results when downloading software and using ad-blockers to prevent exposure to such deceptive malvertising campaigns.