Check Point Research recently analyzed nearly 3,000 files attributed to DeepSeek, identifying a significant portion as malicious or dangerous. A key discovery was a sample implementing an "In-Browser Ransomware" technique. This method exploits the browser-native File System Access API by social engineering victims into granting folder permissions under the guise of a legitimate utility, such as an AI image upscaler. Once access is granted, the script can enumerate, exfiltrate, and encrypt local files without needing a traditional native payload or system exploitation.
The research highlights how modern LLMs like DeepSeek can bridge the gap between theoretical platform risks and practical attack chains. While frontier models often refuse direct requests to create ransomware, they may still generate the necessary functional components when prompted with broader requirements or through creative iteration. This capability allows attackers with limited expertise to operationalize complex techniques, particularly targeting sensitive data on Android devices using Chromium-based browsers where the File System Access API is supported.
Top comments (0)