Kaspersky publishes their SMB threat report every year around International SMB Day. This year's edition landed on June 25th, and the AI section stopped us cold.
Between January and April 2026, Kaspersky detected 33,352 attacks on small business users where the malware was disguised as a popular AI tool. That's nearly five times the number from the same period in 2025. Over 1,100 unique malware samples involved.
The tools being faked: ChatGPT, DeepSeek, Grok, Gemini. The exact tools your employees are curious about and actively searching for.
This isn't a sophisticated enterprise attack. It's a trap that catches someone who Googles "DeepSeek Windows app download" on a Tuesday afternoon.
What's actually happening
There's no single campaign here — it's a category of attack that's exploded because the conditions are perfect.
AI tools are everywhere right now. Every employee has heard about them, many want to try them, and most orgs don't have a clear approved list of what's sanctioned. So employees do what employees do: they search Google.
Criminals have set up hundreds of sites that look exactly like the official ChatGPT, DeepSeek, and Grok pages. Same branding, same copy, same "Download for Windows" button. Some of them run Google Ads so they sit above the organic results. The user clicks download, gets a .exe or .msi installer built with Inno Setup, runs it — and something happens that looks exactly like an install completing.
What's actually happening: the installer phones home to an attacker-controlled server, pulls down a second-stage payload, and quietly runs it in the background. From there the paths diverge depending on which malware family is involved.
Kaspersky's research documented several. Vidar Infostealer goes after browser-saved passwords, session cookies, autofill data, and cryptocurrency wallet files. BrowserVenom routes all browser traffic through an attacker-controlled server — they can read everything you send or receive, in plaintext, for as long as the infection runs. Heracles MSIL targets banking data specifically alongside browser credentials. Some variants skip the infostealing and go straight to enabling remote access: they activate the Windows SSH service and install the attacker's keys, so the machine is available to them whenever they want it.
The timeline is also worth noting. Within 45 minutes of DeepSeek previewing its V4 model in March, attackers had already spun up a fake GitHub organization with stolen DeepSeek branding and were distributing Vidar installers. The lure goes up before most users have even heard about the legitimate release.
Why small orgs are the specific target here
There's a gap that this attack perfectly exploits. Large enterprises have software procurement controls. Before a new tool shows up on a work machine, it's gone through at least nominal IT review. That friction is annoying for employees, but it's the exact thing that stops someone from installing a malicious ChatGPT clone at noon on a Wednesday.
Small orgs don't have that. A 20-person nonprofit or a 35-person engineering firm doesn't have an IT team reviewing software installs. They have whoever handles the Google Workspace account, probably part-time, probably not looking at endpoint activity.
And right now, employees are moving fast on AI. It's not a small number of technically-curious people anymore — it's program coordinators, finance staff, communications leads, operations people. They've all seen AI tools in their LinkedIn feeds, they want to try them, and they're not waiting for IT approval that doesn't exist.
The math is simple: motivated employees, no guardrails, new tools launching constantly that generate Google search traffic, and attackers who can set up a convincing fake site in an afternoon. The 5x jump in attack volume isn't because criminals got smarter. It's because the attack surface grew.
The Chrome extension angle is worse than it looks
Separate from the installer malware, Kaspersky's data covers another category: browser extensions that impersonate AI tools. Two specific extensions this year collectively had over 900,000 installs before they were caught. They presented as legitimate ChatGPT and DeepSeek productivity tools. They requested permission for "anonymous analytics." What they actually did: exfiltrate the full content of every AI conversation the user had, plus tab URLs, to a remote server every 30 minutes.
If your employees are using AI to draft grant proposals, summarize donor calls, write internal strategy documents, or process client data — and they have a malicious extension installed — that content has been leaving your org continuously for however long the extension was installed.
Extensions are particularly hard to catch because they're not traditional software. Most endpoint security tools focus on executables, not browser add-ons. And the permissions model for extensions is built around vague categories that users approve without reading.
What to do
Set a policy on AI tool sources before the next install happens. This doesn't require a committee or a lengthy governance process. A single message to your team this week: "Here are the approved AI tools and exactly how to access them. For ChatGPT: chatgpt.com in your browser, not an app you download. For Grok: grok.com. For DeepSeek: chat.deepseek.com. If you want to try something not on this list, ask first." That message prevents most of what this report is documenting.
Get specific about what "official" means for each tool. ChatGPT has an official app on the iOS App Store and Google Play for mobile. For desktop, the web version is the right answer — there is no official standalone ChatGPT Windows installer from OpenAI. DeepSeek is browser-based. Grok is browser-based. If someone is downloading a .exe installer for any of these tools from a website, that should be a stop sign.
Audit installed browser extensions, today. Go to chrome://extensions and look at what's installed. For each extension: who made it, how many users does it actually have (check the Chrome Web Store, not the extension itself), when was it last updated, what permissions does it have. Remove anything your team can't account for. This takes 20 minutes and the risk surface it eliminates is significant.
Watch for the "new release" trap. The Vidar campaign that spun up within 45 minutes of DeepSeek V4's announcement is a pattern you'll see again. Every high-profile AI launch is now an attack opportunity within the hour. When a new model makes headlines and employees start asking how to try it, that's the moment to slow down and wait for the official channel rather than grabbing the first result on Google.
Consider locking down installer execution for non-admin users. On Windows, standard user accounts can't run installers that require elevated privileges without admin approval. If your employees are running as local admins — which is common in small orgs because it's easier — that's a configuration change worth making. Users can do their work without admin rights. What they can't do without admin rights is accidentally install malware.
The pattern in this report isn't new, but the scale is. Criminals follow adoption curves. Employees adopted AI tools fast this year, often without org guidance. Attacks disguised as those tools followed right behind. A 5x jump in four months means this is still accelerating, not plateauing.
The protection isn't complicated. It's a clear approved list, a five-minute extension audit, and a team that knows where the official versions of these tools actually live. We help orgs set that up in an afternoon — and then actually check that it's in place six months later. If your team is actively exploring AI tools and you haven't done either of those things, this week is a good time to start.