Cybersecurity researchers have identified a new artificial intelligence generated malware sample that demonstrates a previously unobserved browser based ransomware technique capable of operating entirely within Chromium based browsers on both Windows and Android devices. According to Check Point Research, the malware was created using DeepSeek and represents the first documented case in which a frontier artificial intelligence model independently connected a theoretical browser only ransomware concept with an existing browser capability to produce a practical attack chain. Researchers said the finding highlights how advances in artificial intelligence are reducing the technical expertise required to develop sophisticated cyber attacks. Although there is currently no evidence that the technique has been used in real world attacks, security experts warn that publicly demonstrated methods such as this could increase future risks if adopted by threat actors.
The malware sample, identified as a Python Flask application named deepseek_python_20260125_da0631.py, was uploaded to VirusTotal on January 25, 2026. VirusTotal classified it as a fully functional information stealer and ransomware toolkit, while its author referred to it as InfernoGrabber v9.0. The application functions as a malicious web server that attempts to attract victims through a fake Discord avatar artificial intelligence upscaler. Once a user interacts with the malicious page, the malware is designed to perform several harmful actions, including stealing Discord authentication tokens, harvesting credit card information and cryptocurrency seed phrases, recording keystrokes, and capturing webcam and microphone activity without authorization. The malware also contains browser exploitation routines targeting previously disclosed vulnerabilities, uses a hard coded Discord webhook to exfiltrate stolen information, displays a ransomware lock screen demanding Bitcoin payments, and provides an administrative dashboard that enables attackers to manage compromised data collected from victims.
Researchers said the browser based ransomware technique relies on browsers that support the File System Access API, including Google Chrome and other Chromium based browsers running on Windows and Android. The attack begins with a phishing lure that convinces a user to grant file system access to a malicious web page. After permission is granted, the web application can enumerate files stored within the selected folder, read and transmit their contents, encrypt the files, overwrite them, and display a ransom message. Unlike conventional ransomware, the technique does not require installing a native executable, exploiting a browser vulnerability, or obtaining elevated system privileges. Check Point noted that the exact prompt used to generate the malware remains unknown, but the research forms part of a broader review of approximately 3,000 files associated with DeepSeek over the past year. Among those samples, researchers classified 1,383 files as malicious or potentially dangerous. The company also observed that DeepSeek appeared capable of generating functional malicious applications from broad prompts with fewer restrictions than several competing artificial intelligence models.
According to Check Point Research, the findings illustrate how artificial intelligence can identify unconventional attack paths by combining legitimate platform features in unexpected ways. Researchers noted that an individual with limited technical knowledge may not even be aware that browser capabilities such as File System Access API exist, yet an artificial intelligence model can incorporate those features into a functional attack chain when responding to a malicious prompt. Eli Smadja, Head of Research at Check Point Research, said the security industry is witnessing a shift in how new attack techniques are developed, with artificial intelligence capable of reasoning across legitimate platform functions and producing methods that had previously remained theoretical. He advised organizations to strengthen security around application delivery, reconsider trust based solely on user permissions, and treat every browser permission prompt as an important security decision. While researchers have not observed this browser native ransomware technique being used in active campaigns, they emphasize that organizations should remain vigilant as artificial intelligence continues to influence malware development and lower the barriers to creating advanced cyber threats.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.





