Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique

Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique
Check Point Research found that a DeepSeek-attributed sample turned an unrealistic browser-malware idea into a plausible browser-native ransomware technique using the File System Access API. The research shows how a fake AI photo-enhancement lure on Android can trick users into granting folder access, enabling file read, exfiltration, and encryption without a native payload or browser exploit. #DeepSeek #FileSystemAccessAPI #InfernoGrabber #Chrome #Android

Keypoints

  • Check Point Research analyzed nearly 3,000 DeepSeek-attributed files and identified one sample that implemented a browser-native ransomware concept.
  • The sample, associated with the name InfernoGrabber v9.0, used a Discord-themed AI upscaler lure and a ransom-style overlay.
  • The core abuse path relied on the File System Access API in Google Chrome, not on a native payload, APK, exploit, or root access.
  • The browser workflow could enumerate selected directories, read files, exfiltrate content, and overwrite files after the user granted permission.
  • On Android, the risk is especially high because photo directories and DCIM content can contain highly sensitive personal data.
  • DeepSeek V4 could generate a working browser-based ransomware proof of concept when prompted indirectly, while direct ransomware requests were refused.
  • The research highlights how LLMs can connect theoretical risks to practical attack paths and lower the expertise needed to operationalize them.

MITRE Techniques

  • [T1204.002 ] User Execution: Malicious File – The attack depends on the victim clicking a lure and approving folder access, as described in ‘the user opens a web page that promises to enhance a photo’ and ‘after user approval’.
  • [T1566.002 ] Phishing: Spearphishing Link – A fake AI image-enhancement webpage is used as the lure, described as ‘a fake photo-processing application’ and ‘a Discord avatar AI upscaler’.
  • [T1027 ] Obfuscated Files or Information – The malicious intent is hidden behind a benign-looking AI utility and browser workflow, as in ‘disguised as a Discord avatar AI upscaler’ and ‘a convincing AI upscaler interface with hidden ransomware-like behaviors’.
  • [T1056.001 ] Input Capture: Keylogging – The generated sample included keylogging logic, described as routines and stubs for ‘keylogging’ and ‘the keylogger observes keystrokes only while the user interacts with the page’.
  • [T1113 ] Screen Capture – The code referenced screenshots, described as routines and stubs for ‘screenshots’ and ‘the “desktop screenshot” routine captures the rendered web page’.
  • [T1119 ] Automated Collection – The sample attempted to collect multiple data types automatically, including ‘Discord-token collection, crypto-wallet and payment-card discovery, geolocation requests’ and local-file access.
  • [T1552.001 ] Unsecured Credentials: Credentials In Files – The sample targeted stored tokens and payment data, described as ‘Discord-token collection’ and ‘payment-card discovery’.
  • [T1083 ] File and Directory Discovery – The browser code could enumerate selected folders, as shown by ‘recursive traversal of a user-selected directory’ and ‘enumerate local files in the selected folder’.
  • [T1005 ] Data from Local System – The page could read local files after permission was granted, described as ‘reading selected files through browser file handles’ and ‘read files and folders from the local device’.
  • [T1041 ] Exfiltration Over C2 Channel – The sample was intended to send stolen file contents to a backend server, described as ‘sending file contents to the Flask backend’ and ‘read and exfiltrate their contents’.
  • [T1486 ] Data Encrypted for Impact – The attack goal was to encrypt files and prevent recovery, described as ‘encrypt and overwrite them’ and ‘leaves the user unable to recover the original content’.
  • [T1490 ] Inhibit System Recovery – The flow aimed to make recovery difficult by overwriting originals, described as ‘encrypt and overwrite them’ and ‘unable to recover the original content’.
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – The sample included a persistence concept, described as ‘persistence’ and ‘service worker registration attempt’ in browser storage terms.
  • [T1105 ] Ingress Tool Transfer – The browser-side workflow delivered malicious functionality through web content and backend routes, described as a ‘Python Flask application that serves victim-facing HTML and JavaScript’.

Indicators of Compromise

  • [SHA256 hash ] DeepSeek-attributed sample analyzed by researchers – 07c39f79ab92fb21557b82283472dce1c112f577d796111fb752c3c6d84c86b5
  • [File names / labels ] Victim-facing lure and ransom-note branding used in the sample – InfernoGrabber v9.0, Discord avatar AI upscaler
  • [Application / platform names ] Environment targeted by the browser-native workflow – Google Chrome, Chromium-family browsers, Chrome 132, Chrome 148
  • [Web API / function names ] JavaScript primitives referenced in the malicious code – showOpenFilePicker(), showDirectoryPicker()
  • [Web application framework ] Backend used to host victim-facing content and receive data – Python Flask application


Read more: https://research.checkpoint.com/2026/browser-only-ransomware-from-llm-hallucinations-to-a-practical-attack-technique/