A new AI safety test from Check Point Research shows that DeepSeek, a free Chinese AI chatbot, will produce a working browser-based ransomware script from a single plain-language prompt. The script never touches a traditional malware payload. Instead, it leans on a legitimate feature in Google Chrome that lets websites read and write to folders on a user's device, then tricks the victim into granting access through a fake AI photo-enhancement workflow.
In practice, that means a non-expert can ask a chatbot for ransomware, get usable code from a single prompt, and run it inside any Chromium-based browser. Check Point's analysis of nearly 3,000 files attributed to DeepSeek over the past year found that 1,383 of them, roughly 46 percent, were classified as malicious or dangerous by VirusTotal detection or static source review. The named sample, InfernoGrabber 9000, is labeled by VirusTotal as a "fully functional information stealer and ransomware toolkit," though Check Point acknowledges the sample is incomplete and has not been observed in live in-the-wild infections.
The mechanism sits on top of work security researchers published three years ago. A 2023 USENIX Security paper, "Ransomware over Modern Web Browsers" by researchers at Florida International University and Google, showed that Chrome's File System Access API could be abused by a malicious web page to encrypt local files. The Check Point report demonstrates that the same technique is now within reach of anyone who can phrase the request.
What DeepSeek adds is speed and accessibility. Pedro Drimel Neto, who leads malware analysis at Check Point Research, told The Register that DeepSeek carries lower refusal rates for harmful cyber requests than OpenAI or Anthropic models, and that a working malicious app could often be produced from a single broad prompt where competing systems would force the user to break the request into benign-looking sub-tasks. DeepSeek is also free at the point of use, which removes the friction of a paid sandbox or identity gating.
The findings come from a vendor with a commercial stake in ransomware detection, and the named sample has not been independently verified outside Check Point's lab, which is part of why the team frames the demonstration as a stress test rather than a live campaign.
Android is where this lands hardest. Modern Chrome on Android exposes the File System Access API to web pages, including user photo directories. iOS Chrome does not. A lure promising to enhance or restore a personal photo set maps naturally to the API's permissions model, and an encrypted camera roll becomes the leverage for a ransom demand.
The attack chain has no native payload, no APK install, no browser exploit, and no root. The user grants a website permission once, the website iterates through the granted directory, and file contents are scrambled using a key that never leaves the attacker. From a defender's seat, that collapses several of the signals antivirus products and mobile threat teams have spent years tuning for.
The watch item: whether Android Chrome, the W3C File System Access working group, or any of the major model labs move on this before Check Point's separate observation of "evidence of actual threat actors attempting this attack using straightforward LLM prompts" turns into a public incident.