Kaspersky detected multiple infections in Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt.
Using CAPTCHA as a throw-off
To add legitimacy to their operation and lower user suspicion, the attackers embedded fake CAPTCHA challenges twice in the attack chain. The first appears when a user clicks the “Try now” button on the malicious DeepSeek download website, triggering a decoy CAPTCHA mimicking standard verification.
Interestingly, the CAPTCHA code does verify if the user is a human. “Clicking this button will take the user to a CAPTCHA anti-bot screen,” researchers noted. “The code for this screen is obfuscated JavaScript, which performs a series of checks to make sure that the user is not a bot.”
