Check Point says DeepSeek was used to prototype browser-based ransomware

Researchers at Check Point say they found evidence that DeepSeek was used to generate a browser-native malware concept that could act like ransomware without installing a traditional executable. The c...

Researchers at Check Point say they found evidence that DeepSeek was used to generate a browser-native malware concept that could act like ransomware without installing a traditional executable. The company described the sample as incomplete, but said it showed how large language models can lower the barrier for attackers who want to experiment with web-based abuse.

According to the report, the team reviewed thousands of files linked to DeepSeek over the past year and classified a significant portion as malicious or risky based on VirusTotal data and static analysis. One sample stood out because it appeared to combine multiple hostile functions into a single browser-delivered lure.

How the attack concept works

The technique relies on browser features such as the File System Access API, which can let a web app read and write local files after the user grants permission. Security researchers have previously noted that this capability expands the browser attack surface, even though it is useful for legitimate tools like editors and design applications.

In Check Point’s analysis, the DeepSeek-generated code aimed to:

  • lure the victim with a fake browser-based application
  • request access to local files
  • process or encrypt files inside the browser
  • collect data such as credentials, Discord tokens, and payment details
  • present a ransom-style screen demanding Bitcoin

The researchers said the sample did not fully work as written and could not complete a real-world infection chain on its own. Even so, they argued that only modest changes would be needed to turn the concept into a functional attack.

Why defenders are paying attention

Check Point said it was able to produce a working proof of concept using a current version of DeepSeek after removing explicit references such as “ransomware” from the prompt. The result, the company said, was still a web page that could persuade a user to grant file access and then leave them unable to restore the original content.

Researchers cautioned that this is an example of how AI can help attackers turn previously documented browser risks into more practical threats. The company said such activity may already be happening, or could emerge in the near term, as threat actors continue experimenting with prompt-driven malware generation.