---Advertisement---

DeepSeek AI Builds Browser Only Ransomware Using File System Access API

By xploitzone
July 2, 2026 5:50 PM
---Advertisement---

Check Point Research discovered that DeepSeek independently connected a theoretical browser ransomware concept to a real working attack using the File System Access API requiring zero exploits zero installs and zero technical expertise from an attacker.

Imagine a threat actor with almost no coding skill typing a single broad prompt into an AI chatbot and walking away with a fully functional ransomware workflow that runs entirely inside a browser tab. No malware file to download. No APK to install. No vulnerability to exploit.

Just a permission prompt that looks completely routine sitting between an attacker and years of someone’s personal photos. Check Point Research just confirmed that this scenario moved from theoretical to practical and the path there ran straight through an AI model that hallucinated its way into discovering a genuinely new attack technique.

DeepSeek Browser Ransomware Explained

Check Point researchers spent months tracking nearly three thousand files attributed to DeepSeek through public telemetry and classified almost half of them as malicious or dangerous based on VirusTotal analysis and static source review. Inside that dataset one particular sample stood out. It arrived as a Python Flask application named deepseek python 20260125 da0631.py uploaded to VirusTotal on January 25 2026 and the malware author called it InfernoGrabber v9.0.

Fake Discord themed social engineering lure used to trick users into granting folder access
(source: Check Point Research)

On the surface it looked like a textbook AI hallucination gone wrong. The model attempted to pack a keylogger a credential stealer a webcam capture tool and a ransomware overlay into a single web page which browsers simply do not allow. It got almost everything wrong.

But buried inside all that noise sat one thing the model got exactly right. The generated code called showDirectoryPicker which sits as a legitimate browser API letting a web page request access to a folder on the user device. Once a user grants that permission the web page can read files inside the selected folder modify them and send their contents directly to a remote server.

The model stumbled onto a real browser primitive that had genuine ransomware potential despite having no idea how most of its other requested capabilities actually work inside a browser environment. That accidental discovery became the core finding of the entire investigation.

Check Point researchers validated the technique by building their own controlled proof of concept. They disguised it as a fake AI photo enhancement tool that presents itself as an image upscaler. The workflow feels completely natural to any regular user.

Browser rendered InfernoGrabber v9.0 ransom demand screen showing Bitcoin payment and countdown timer
(source: Check Point Research)

A person selects a photo clicks a folder for enhanced results approves what looks like a routine browser permission prompt and during the fake processing step their images get encrypted. The entire operation runs inside the browser process without installing any additional app without dropping a binary anywhere on the device and without exploiting any vulnerability. Social engineering combined with a legitimate permission prompt does all the work.

The File System Access API underpins this entire technique. This browser capability supported primarily in Chrome and Chromium based browsers was built to let developers create rich web applications such as code editors and creative tools that need to read write and manage files on a user device.

Google security researcher Guliz Seray Tuncay along with Florida International University researchers flagged back in 2023 that this same API greatly extends the attack surface in ways adversaries could abuse. That warning came years before any LLM could actually produce a working implementation from a single broad prompt.

The platform picture matters significantly for understanding real world exposure. On Windows this technique works across Chrome and every Chromium based browser giving it enormous reach across enterprise and consumer environments alike. Chrome 132 introduced full File System Access support on Android and testing on Chrome 148 confirmed that web pages can request access to the DCIM photo directory on Android devices.

That folder typically holds years of personal photos scanned documents banking screenshots and recovery codes making it an extraordinarily high value ransomware target. On iOS the situation differs entirely since Safari does not expose the same File System Access primitives to websites and Chrome on iOS uses WebKit which also does not implement the API making the technique currently impractical on Apple mobile devices.

The DeepSeek angle adds a layer that goes beyond the technical finding itself. Major AI vendors including Anthropic and OpenAI have made cyber safety a dedicated control area and consistently refuse requests involving ransomware behavior credential theft or malware deployment. DeepSeek shows lower and less consistent refusal rates and its free access and wide regional availability make it particularly attractive to threat actors with limited technical skill.

A user who likely wanted an all in one Discord themed lure with a stealer an admin panel and a ransomware workflow simply described their goal in broad terms and the model chose a Flask application and a browser frontend as its architecture in doing so independently connecting a hallucinated browser malware concept to a real platform feature with genuine abuse potential.

Browser Ransomware Defense Guide

No confirmed in the wild exploitation of this specific browser native ransomware pattern has been observed at the time of publication. That detail provides temporary comfort but researchers at Check Point alongside independent analysts describe the timeline to real exploitation as short.

Responsible AI model refusing the same ransomware creation request that DeepSeek complied with
(source: Check Point Research)

The barrier to operationalizing complex attacks has collapsed and the expertise needed to discover a new attack path no longer represents the bottleneck it once did. An AI hallucination that accidentally gets one thing right now represents a genuine threat discovery mechanism running independently of any human researcher.

Detection for this class of attack proves genuinely challenging precisely because the execution environment sits inside the browser process rather than on disk. Traditional endpoint detection tools that monitor file writes executable drops or process injections will see nothing unusual while encryption runs inside a browser tab against a folder a user just granted access to through a routine looking prompt. Security teams relying purely on signature based malware scanning face a fundamental blind spot here since no suspicious file ever touches the disk in a form a scanner can flag.

Organizations should treat browser permission prompts as active security decisions rather than routine interface elements users should click through quickly. Security awareness training needs to specifically address folder access prompts in Chromium based browsers explaining that any website requesting write access to a local directory represents meaningful security decision rather than a harmless convenience feature. Employees should understand that a prompt saying a website wants to access your files and make changes carries real implications that differ entirely from accepting cookies or allowing notifications.

Enterprise environments running Chromium based browsers should evaluate whether File System Access API functionality needs to remain available across all users and all contexts. Browser management policies through Group Policy on Windows or equivalent MDM controls can restrict which sites receive permission to use this API if the functionality serves no legitimate business purpose for a given user group.

Restricting or requiring explicit administrative approval before any site can invoke showDirectoryPicker provides a meaningful reduction in the practical attack surface even before any malware sample actually reaches a user.

Individual users on Android devices carrying years of photos in their DCIM directory face the most immediately practical exposure given that Chrome 132 and later versions expose the full File System Access API there. The risk mitigation guidance applies with even greater urgency on Android since that directory typically holds genuinely irreplaceable personal material.

Before clicking Allow on any browser folder access prompt on either desktop or Android users should identify which site is asking which folder the request targets and whether write access makes any logical sense for the service being offered. A photo upscaling tool asking to write to the main photo library with no visible business reason for needing that access level should trigger immediate suspicion rather than routine approval.

The broader lesson behind this research reshapes how defenders should think about AI assisted threat discovery going forward. The expertise gap that once protected organizations by limiting who could connect abstract attack concepts to working implementations has closed.

The next novel attack technique may well arrive not through a human security researcher carefully combining technical knowledge but through an AI model that hallucinated its way into finding the one thing it actually got right.

xploitzone

Exploring the world of cybersecurity through in depth analysis of vulnerabilities,data breaches and emerging threats. Delivering real insights technical breakdowns and bug bounty discoveries for security enthusiasts and researchers.

Join Twitter

Join Now

Join Telegram

Join Now

1 thought on “DeepSeek AI Builds Browser Only Ransomware Using File System Access API”

Leave a Comment