Claude Desktop Hijacked for Remote Code Execution, DeepSeek Generates In-Browser Ransomware

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Key Takeaways
  • Agent Hijacked: Pentera Labs turned a developer's Claude Desktop into a double agent for full remote code execution.
  • Malicious Files: Check Point classified roughly half of nearly 3,000 DeepSeek-attributed files as malicious or dangerous.
  • Novel Technique: A DeepSeek-generated sample used an in-browser ransomware method not previously seen in the wild.

Two new research findings show how attackers can weaponize mainstream AI tools, turning trusted assistants into vectors for full system compromise and novel malware. Pentera Labs red teamers compromised a developer's AI agent through his Claude Desktop app and converted that foothold into full remote code execution (RCE). 

Over the past year, Check Point Research (CPR) tracked almost 3,000 files attributed to DeepSeek and classified 1,383 files, which is nearly half, as malicious or dangerous.

Claude Desktop Hijack

The chain began with a red-team assignment on a third-party platform that aggregates customer email inboxes into a single management interface. Researchers used the compromised inbox to break into the Claude account of a victim with Claude Desktop installed.

If the user already runs Desktop Commander or a similar Model Context Protocol (MCP) connector or extension, poisoned instructions direct Claude AI to use it. That access allows the attacker, operating through Claude, to execute a stealthy reverse shell or other malicious code, resulting in a full compromise of the machine. 

We could rotate those commands server side at will, effectively turning Claude into a persistent, stealthy C2 agent that the victim themselves kept feeding,” the researchers said. Without Claude Cowork, which can execute commands on a user’s behalf, Claude also becomes what the researchers describe as a “phishing layer.”

DeepSeek In-Browser Ransomware

In a Wednesday report, CPR analyzed a DeepSeek-generated incomplete sample that enabled the implementation of a dangerous browser-native technique CPR had not observed exploited in the wild, which it describes as in-browser ransomware

Without installing a native payload or exploiting the browser, this technique uses a phishing lure to persuade the victim to grant file-system access to a web page that can enumerate, read, exfiltrate, encrypt, and overwrite local files in the selected folder and display a ransom message by abusing a legitimate permission prompt exposed by the File System Access API in Google Chrome.

While the technique is not new, CPR showed how the AI model brought previously documented concepts together into an enforceable attack scenario, leveraging a method that defenders had originally thought infeasible due to browser sandboxing limits.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: