Back to Feed
MalwareJul 1, 2026

AI-Generated Browser Ransomware Abuses Chromium API on Windows and Android

DeepSeek AI generates first functional browser-based ransomware exploiting Chromium File System API.

Summary

Researchers at Check Point discovered a Python Flask malware artifact (InfernoGrabber v9.0) generated by DeepSeek AI that implements a novel in-browser ransomware technique. The malware uses phishing to trick users into granting file system access via the Chromium File System Access API, then exfiltrates, encrypts, and overwrites files—all without requiring native payload installation or root access. This marks the first documented case of a frontier AI model independently discovering a practical attack chain that bridges theoretical browser-only ransomware risks with working exploitation on both Windows and Android.

Full text

AI-Generated Browser Ransomware Abuses Chromium API on Windows and Android Ravie LakshmananJul 01, 2026Browser Security / Ransomware Cybersecurity researchers have flagged a new malware artifact generated using DeepSeek that constructed a novel attack path combining "unrealistic browser-malware concepts with a real browser capability" to turn it into a working ransomware technique that runs entirely inside the browser on both Windows and Android devices. "This is the first documented case where a frontier AI model independently bridged the gap between a theoretical browser-only ransomware risk and a practical, working attack chain – surfacing a novel attack path that defenders had previously dismissed as unfeasible due to browser sandboxing limits," Check Point said in a statement shared with The Hacker News. "The expertise needed to discover a new attack path is no longer the bottleneck, and defenders need to account for that shift now — before threat actors operationalize it at scale." The identified sample is a Python Flask application named "deepseek_python_20260125_da0631.py" that was uploaded to VirusTotal on January 25, 2026, with the Google-owned malware scanning service describing it as a "fully functional information stealer and ransomware toolkit." It has been named InfernoGrabber v9.0 by the malware author. The application is designed to operate as a malicious web server that lures victims with a fake Discord avatar AI upscaler, while stealthily running a wide array of harmful actions, including stealing Discord tokens, harvesting credit card numbers and cryptocurrency seed phrases, logging keystrokes, and capturing unauthorized webcam and microphone feeds. "The code includes specific routines for browser exploitation (targeting CVEs like CVE-2023-4863), data exfiltration via a hard-coded Discord webhook, a ransomware 'WinLocker' screen demanding Bitcoin, and an administrative dashboard for the attacker to manage stolen data," according to VirusTotal. The findings come as artificial intelligence and large language models (LLMs) are redefining the cyber threat landscape, enabling threat actors to abuse the technology to develop malware and exploits. The use of DeepSeek is noteworthy as it signals that the Chinese company's models have lower refusal rates for malicious cyber requests when compared to its Western counterparts from Anthropic, Google, or OpenAI. Other factors that may have facilitated the use of DeepSeek is its free access via the web interface, availability in regions where other frontier models do not operate, and its ability to generate a working malicious application from a "single broad prompt" as opposed to models from Anthropic or OpenAI. "DeepSeek models can turn high‑level malicious ideas into concrete, complete attacks with less expertise than competing platforms," Check Point Research said. The Israeli cybersecurity company said it unearthed the Python artifact as part of its analysis of about 3,000 files attributed to DeepSeek over the past year. Of these, 1,383 samples have been classified as malicious or dangerous. The Python malware is an instance of what's called In-Browser Ransomware that implements a browser-native technique not encountered in real-world campaigns in the past. The exact prompt that was used to produce the sample is unknown. The attack technique entails using a phishing decoy to trick a user into granting file system access to a web page, which then enumerates local files in the selected folder, reads and exfiltrates their contents, encrypts and overwrites them, and finally displays an extortion note to the victim. What makes this more unusual is that all of this can be accomplished without installing a native payload, exploiting a browser vulnerability, or requiring root access. It's worth mentioning here that the approach is limited to web browsers that expose the picker-based File System Access API. This includes Google Chrome and other Chromium-based browsers across Windows and Android operating systems. There is no evidence that the browser-native ransomware pattern has been abused in the wild. Another troubling aspect of AI-assisted development is that it not only lowers the barrier for bad actors to generate offensive code, but also the fact that they do not even need to know such a file system access API exists in the first place, or have the technical expertise to abuse it. Put differently, entering an overly broad prompt is enough for an LLM – subject to guardrails, or lack thereof -- to formulate a working attack blueprint from an abstract malicious request. When a user with limited technical understanding outlines unrealistic requirements, the model, in its quest to satisfy them, can generate hallucinated outcomes, surfacing unusual techniques in the process. "What we are witnessing is a fundamental shift in how novel cyber attacks are born. For the first time, we have evidence that an AI model can independently reason across legitimate platform features and surface a working attack technique that humans had only theorised about – without the attacker ever knowing the underlying API existed," Eli Smadja, head of research at Check Point Research, said in a statement. "The barrier to operationalizing complex attacks is collapsing, and that has profound implications for every organisation embedding AI into its workflows, and for every mobile user who now carries their entire personal and professional life inside a photo library. The future of AI security cannot rest on hoping models refuse the obvious malicious request; it must assume that the next attack technique will be discovered not by a human researcher, but by an AI hallucination that accidentally got one thing right." Smadja is also urging organizations to prepare by hardening the delivery layer, rethinking permission-based trust, and treating every browser prompt as a security decision. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Android, browser security, Chromium, DeepSeek, Discord, Malware, ransomware, VirusTotal, Windows ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

  • cve — CVE-2023-4863
  • malware — InfernoGrabber v9.0
  • malware — WinLocker

Entities

DeepSeek (vendor)Check Point (vendor)Google (vendor)Chromium File System Access API (technology)Chrome (product)Discord webhooks (technology)