Latest news with #KasperskyGlobalResearch&AnalysisTeam
Biz Bahrain
3 days ago
- Biz Bahrain
New malware posing as an AI assistant steals user data
Kaspersky Global Research & Analysis Team researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs. The previously unknown malware is delivered via a phishing site pretending to be the official DeepSeek homepage that is promoted via Google Ads. The goal of the attacks is to install BrowserVenom, a malware that configures web browsers on the victim's device to channel web traffic through the attackers servers, thus allowing to collect user data – credentials and other sensitive information. Multiple infections have been detected in Brazil, Cuba, Mexico, India, Nepal, South Africa and Egypt. DeepSeek-R1 is one of the most popular LLMs right now, and Kaspersky has previously reported attacks with malware mimicking it to attract victims. DeepSeek can also be run offline on PCs using tools like Ollama or LM Studio, and attackers used this in their campaign. Users were directed to a phishing site mimicking the address of the original DeepSeek platform via Google Ads, with the link showing up in the ad when a user searched for 'deepseek r1'. Once the user reached the fake DeepSeek site, a check was performed to identify the victim's operating system. If it was Windows, the user was presented with a button to download the tools for working with the LLM offline. Other operating systems were not targeted at the time of research. After clicking on the button and passing the CAPTCHA test, a malicious installer file was downloaded and the user was presented with options to download and install Ollama or LM Studio. If either option was chosen, along with legitimate Ollama or LM Studio installers, malware got installed in the system bypassing Windows Defender's protection with a special algorithm. This procedure also required administrator privileges for the user profile on Windows; if the user profile on Windows did not have these privileges, the infection would not take place. After the malware was installed, it configured all web browsers in the system to forcefully use a proxy controlled by the attackers, enabling them to spy on sensitive browsing data and monitor the victim's browsing activity. Because of its enforcing nature and malicious intent, Kaspersky researchers have dubbed this malware BrowserVenom. 'While running large language models offline offers privacy benefits and reduces reliance on cloud services, it can also come with substantial risks if proper precautions aren't taken. Cybercriminals are increasingly exploiting the popularity of open-source AI tools by distributing malicious packages and fake installers that can covertly install keyloggers, cryptominers, or infostealers. These fake tools compromise a user's sensitive data and pose a threat, particularly when users have downloaded them from unverified sources,' comments Lisandro Ubiedo, Security Researcher with Kaspersky's Global Research & Analysis Team. To avoid such threats, Kaspersky recommends: • Check the addresses of the websites to verify that they are genuine and avoid scam. • Download offline LLM tools only from official sources (e.g., • Avoid using Windows on a profile with admin privileges. • Use trusted cyber security solutions to prevent malicious files from launching.
Biz Bahrain
6 days ago
- Biz Bahrain
Kaspersky discovers multiple IoT devices targeted with a new Mirai botnet version
Kaspersky Global Research & Analysis Team (GReAT) researchers have found multiple IoT devices targeted with a new version of the Mirai botnet. The majority of attacked devices were located in China, Egypt, India, Brazil, Turkiye and Russia. Mirai remains one of the top threats to IoT in 2025 due to widespread exploitation of weak login credentials and unpatched vulnerabilities, enabling large-scale botnets for DDoS attacks, data theft and other malicious activities. According to Kaspersky research, there were 1.7 billion attacks on IoT devices (including those made with Mirai) coming from 858,520 devices globally in 2024. 45,708 attacks on IoT devices (including those made with Mirai) were launched from UAE in 2024, which is 54% more than in 2023. To explore IoT attacks, how such attacks are carried out and how to prevent them, Kaspersky set up so called honeypots – decoy devices used to attract the attention of the attackers and analyze their activities. In the honeypots Kaspersky detected the exploitation of the CVE-2024-3721 vulnerability to deploy a bot – it turned out to be a Mirai botnet modification. A botnet is a network of compromised devices infected by malware to perform coordinated malicious activities under the control of an attacker. This time, the focus of the attacks were digital video recorders (DVRs) – these devices are integral to security and surveillance across multiple sectors. They record footage from cameras to monitor homes, retail stores, offices and warehouses, as well as factories, airports, train stations and educational institutions, to enhance public safety and secure critical infrastructure. Attacks on DVR devices can compromise privacy, but beyond that, they can serve as entry points for attackers to infiltrate broader networks, spreading malware and creating botnets to launch DDoS attacks, as seen with Mirai. The discovered DVR bot includes mechanisms to detect and evade virtual machine (VM) environments or emulators commonly used by security researchers to analyze malware. These techniques help the bot avoid detection and analysis, allowing it to operate more stealthily and remain active on infected devices. 'The source code of the Mirai botnet was shared on the internet nearly a decade ago, and since then, it has been adapted and modified by various cybercriminal groups to create large-scale botnets mostly focused on DDoS and resource hijacking. Exploiting known security flaws in IoT devices and servers that haven't been patched, along with the widespread use of malware targeting Linux-based systems, leads to a significant number of bots constantly searching the internet for devices to infect. By analyzing public sources we identified over 50,000 exposed DVR devices online, indicating that attackers have numerous opportunities to target unpatched, vulnerable devices,' comments Anderson Leite, Security Researcher with Kaspersky's GReAT. To reduce the risk of IoT device infection, users should: • Change default credentials and use strong, unique passwords. • Regularly update DVR firmware to patch known vulnerabilities. • Disable remote access if unnecessary or use secure VPNs for management. • Segment DVRs on isolated networks. • Monitor for unusual network traffic to detect potential compromises. Read more about the latest Mirai wave at
