AI-Generated Browser Ransomware: DeepSeek LLMs Lower the Bar for Cybercriminals
Researchers at Check Point have uncovered a concerning trend: large language models (LLMs) like DeepSeek are enabling low-skilled attackers to develop functional in-browser ransomware with minimal effort. In a report published Wednesday, the cybersecurity firm detailed how an incomplete but dangerous AI-generated sample dubbed InfernoGrabber 9000 could be transformed into a fully operational attack with little technical expertise.
The Threat: Browser-Native Ransomware
The sample, attributed to DeepSeek, exploits the File System Access API a legitimate browser feature in Chrome and Chromium-based browsers to encrypt local files directly from a malicious web application. Unlike traditional ransomware, this attack requires no native payload, APK installation, or root access, relying instead on social engineering (e.g., tricking users into granting file permissions).
While the original sample was incomplete, Check Point demonstrated that only minor modifications were needed to make it attack-ready. The researchers successfully created a proof-of-concept (PoC) for browser-only ransomware using DeepSeek V4, proving that even non-experts could deploy such threats.
What InfernoGrabber 9000 Attempts to Do
The AI-generated code was designed as a multi-functional malware toolkit, disguised as a Discord avatar upscaler. If executed, it would:
- Steal Discord tokens, credit card numbers, and cryptocurrency seed phrases
- Log keystrokes and capture webcam/microphone feeds
- Encrypt local files via the browser
- Exfiltrate data via a hardcoded Discord webhook
- Display a ransomware WinLocker screen demanding Bitcoin
Though the sample was non-functional in its original state, Check Point’s analysis revealed that threat actors are already experimenting with similar attacks, using simple LLM prompts to generate malicious code.
Why This Matters
- Low Barrier to Entry: Attackers with minimal technical skills can now create sophisticated browser-based ransomware.
- Evasion Tactics: The use of code obfuscation makes detection difficult, raising concerns that such attacks may already be occurring undetected.
- Shift in Targets: While traditional ransomware focuses on enterprises, this technique could expand attacks to end-users, particularly Android device owners.
Check Point’s findings highlight a growing risk: AI-generated malware is no longer theoretical. With LLMs lowering the skill floor for cybercriminals, browser-native ransomware could become a real-world threat in the near future.
Google DeepMind cybersecurity rating report: https://www.rankiteo.com/company/googledeepmind
DeepSeek AI cybersecurity rating report: https://www.rankiteo.com/company/deepseek-ai
"id": "GOODEE1782937442",
"linkid": "googledeepmind, deepseek-ai",
"type": "Ransomware",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'type': 'End-users, Android device owners'}],
'attack_vector': 'Browser-based (File System Access API), Social Engineering',
'data_breach': {'data_encryption': 'Yes (browser-based file encryption)',
'data_exfiltration': 'Yes (via hardcoded Discord webhook)',
'personally_identifiable_information': 'Yes (Discord tokens, '
'credit card numbers, '
'cryptocurrency seed '
'phrases)',
'sensitivity_of_data': 'High (PII, financial data, sensitive '
'personal media)',
'type_of_data_compromised': ['Discord tokens',
'Credit card numbers',
'Cryptocurrency seed phrases',
'Keystrokes',
'Webcam/microphone feeds',
'Local files']},
'date_publicly_disclosed': '2024-05-22',
'description': 'Researchers at Check Point uncovered a trend where large '
'language models (LLMs) like DeepSeek enable low-skilled '
'attackers to develop functional in-browser ransomware with '
'minimal effort. The AI-generated sample, InfernoGrabber 9000, '
'exploits the File System Access API in Chrome and '
'Chromium-based browsers to encrypt local files directly from '
'a malicious web application without requiring native payloads '
'or root access. The sample was incomplete but could be made '
'attack-ready with minor modifications.',
'impact': {'data_compromised': 'Discord tokens, credit card numbers, '
'cryptocurrency seed phrases, keystrokes, '
'webcam/microphone feeds, local files',
'identity_theft_risk': 'High (PII and financial data theft)',
'operational_impact': 'Potential file encryption and data '
'exfiltration via browser',
'payment_information_risk': 'High (credit card numbers, '
'cryptocurrency seed phrases)',
'systems_affected': 'Chrome and Chromium-based browsers (e.g., '
'Android devices)'},
'initial_access_broker': {'entry_point': 'Malicious web application '
'(disguised as Discord avatar '
'upscaler)'},
'investigation_status': 'Ongoing (proof-of-concept demonstrated)',
'lessons_learned': 'AI-generated malware is lowering the barrier to entry for '
'cybercriminals, enabling low-skilled attackers to create '
'functional ransomware. Browser-native attacks pose a '
'growing risk to end-users, particularly on mobile '
'devices.',
'motivation': 'Financial gain, Data theft, Extortion',
'post_incident_analysis': {'corrective_actions': 'Improved detection of '
'browser-based threats, user '
'education on permission '
'risks, development of '
'AI-driven defense '
'mechanisms',
'root_causes': 'Exploitation of legitimate browser '
'APIs (File System Access API) by '
'AI-generated malware, low barrier '
'to entry for attackers using LLMs'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': 'Bitcoin (amount unspecified)',
'ransomware_strain': 'InfernoGrabber 9000 (AI-generated, '
'browser-native)'},
'recommendations': ['Enhance monitoring for browser-based API abuse',
'Improve detection of obfuscated malicious code',
'Educate users on the risks of granting file permissions '
'to web applications',
'Develop countermeasures for AI-generated malware '
'threats'],
'references': [{'date_accessed': '2024-05-22',
'source': 'Check Point Research'}],
'response': {'third_party_assistance': 'Check Point (research and analysis)'},
'threat_actor': 'Low-skilled attackers using DeepSeek LLMs',
'title': 'AI-Generated Browser Ransomware: DeepSeek LLMs Lower the Bar for '
'Cybercriminals',
'type': 'Ransomware',
'vulnerability_exploited': 'File System Access API in Chrome/Chromium-based '
'browsers'}