
DeepSeek was released in January 2025 and caused a stir due to its vulnerability to jailbreaking techniques.
Similar to all major LLMs, DeepSeek has guardrails designed to prevent it from being used for malicious purposes, including malware creation. However, these restrictions can be easily circumvented.
When asked directly to write code for a keylogger or ransomware, DeepSeek refuses to do so claiming that it cannot help with potentially malicious or illegal tasks. But if you tell DeepSeek that the research is for “educational purposes only”, you can bypass its safeguards.
Tenable specialists successfully used jailbreaking techniques to fool the chatbot into writing malicious code; furthermore, they used a technique called Chain-of-Thought (CoT) to refine its results.
CoT reconstructs human thinking by breaking it down into sequential steps required to achieve the goal. In other words, CoT makes AI ‘thinking out loud’, thus, providing a step-by-step description of its reasoning process.
When researchers ‘nicely’ asked DeepSeek to write a keylogger, the AI outlined an action plan and then produced some C++ code. This code was buggy, and the chatbot was unable to correct some of the errors and create a fully-functional malware without human intervention.

However, after a few manual interventions, the keylogger code generated by DeepSeek started working (i.e. intercepting user’s keystrokes). The researchers then used DeepSeek to further improve the resulting malware: now it can hide and encrypt its logs.
After being asked to develop some ransomware, DeepSeek first described the entire process and then managed to generate several samples of file encryption malware (although none of them could be compiled without manual fixes in the code).
Ultimately, the researchers managed to put some ransomware samples to work. The malware uses file enumeration and persistence mechanisms and even displays a ‘ransomware dialog’ box.
“At its core, DeepSeek can create the basic structure for malware. However, it is not capable of doing so without additional prompt engineering as well as manual code editing for more advanced features. For instance, DeepSeek struggled with implementing process hiding. We got the DLL injection code it had generated working, but it required lots of manual intervention. Nonetheless, DeepSeek provides a useful compilation of techniques and search terms that can help someone with no prior experience in writing malicious code the ability to quickly familiarize themselves with the relevant concepts,” – Tenable.

2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →