DeepSeek, the rising Chinese AI company known for its advanced generative reasoning models, has now become the latest victim in a growing cybercrime trend. Brand impersonation through fake Google ads. While DeepSeek gained attention earlier this year with its models DeepSeek-R1-Zero and DeepSeek-R1. Hackers have capitalized on the buzz to target users with infostealing malware hidden behind malicious sponsored links.
It started with fake DeepSeek ads appearing at the top of Google search results. At first glance, the ads may not raise suspicion. But users who click on the links are taken to a cloned website designed to mimic DeepSeek’s official platform. Once there, the real danger begins. A single click on the fake download link triggers the download of a Trojan programmed in Microsoft Intermediate Language (MSIL). This malware, known as the Heracles MSIL Trojan, quietly infiltrates the victim’s system and begins stealing sensitive data. Especially targeting crypto wallets.
According to Malwarebytes researcher Pieter Arntz, the deceptive nature of these fake DeepSeek ads lies in the URLs. While the ad might look legitimate, a quick glance at the destination address reveals discrepancies from DeepSeek’s actual domain. He also recommended clicking on the three vertical dots beside the URL to view the advertiser’s identity. Something that could instantly reveal if the ad is linked to the real brand.
But even these precautions might not be enough. Arntz gave a blunt but effective piece of advice to stay safe: never click on sponsored search results.
DeepSeek Malware Scam Highlights Ongoing Problems with Google Ads
Unfortunately, DeepSeek is far from the only brand being targeted. Malwarebytes researchers, including senior director of research Jérôme Segura, say that Google’s advertising platform continues to be a prime attack vector for malware distribution. The Heracles Trojan itself is believed to have Russian origins. And has been seen in multiple campaigns designed to steal data by impersonating well-known platforms.
Segura added that these kinds of malware-laced ads have remained consistent over the past few years. While spikes may occur during large campaigns, the underlying tactic of brand spoofing through paid ads has become disturbingly routine. “At times we see a surge tied to a specific campaign,” Segura said, “but overall, brand impersonation remains an ongoing problem.”
Despite Google’s efforts to clamp down on malicious ads—reportedly removing over 5.5 billion ads and suspending 12.7 million advertiser accounts in 2023—the issue continues. In fact, Arntz pointed out that attackers often manage to outbid real companies in search rankings by pouring money into fake ads, making it more profitable for Google while leaving users vulnerable.
Google has responded, claiming that its systems had already detected the malware campaign related to the DeepSeek impersonation. “Prior to the publication of this report, our systems detected this malware campaign and we suspended the advertiser’s account,” a Google spokesperson told Dark Reading. The tech giant says it has a strict policy against malware-related ads and takes swift action against violators.
Still, the attackers are adapting. Segura explains that cybercriminals keep switching tactics—either by creating new fake accounts or hijacking compromised ones—to keep slipping through Google’s security net. The current consequences, he says, are simply not strong enough to deter these bad actors.
The takeaway for users is clear: even the most advanced AI companies like DeepSeek can become tools in a cybercriminal’s arsenal. With malware scams now hiding in plain sight—at the top of search results—it’s more critical than ever to verify what you’re clicking. Skip the sponsored links, double-check URLs, and when in doubt, go directly to the official site.
