An AI Chatbot May Have Just Stumbled Into a New Kind of Browser Ransomware
Check Point researchers found something odd sitting on VirusTotal since January — malware that pulls off a full ransomware attack from inside the browser itself. No download, no exploit, no admin rights needed. It was disguised as a Discord avatar upscaler, which is how it likely got past a few unsuspecting users.
Underneath, InfernoGrabber v9.0 does what most infostealers do: grabs Discord tokens, card numbers, crypto wallet seed phrases, logs keystrokes, taps into webcams and mics. Standard stuff. The interesting part is what it does next.
It leans on Chrome's File System Access API — a completely legitimate feature. A victim clicks "allow" on what looks like an ordinary folder permission prompt, and that's it. The malware can now read, encrypt, and overwrite files in that folder, then drop a Bitcoin ransom note. No vulnerability exploited, no code injected — just a browser feature used the way it was never meant to be.
What's really catching researchers' attention, though, is how this thing came to exist in the first place. They believe DeepSeek's model built it — someone fed it a vague, ambitious prompt, and the AI apparently connected a fairly obscure browser API to standard malware concepts on its own. The person prompting it didn't need to know the API existed, or have any real hacking background.
Check Point has been tracking DeepSeek-linked files for about a year now — roughly 3,000 reviewed, with close to 1,400 flagged malicious. But this is the first time, they say, they've seen an AI model independently land on a genuinely new attack technique, one that had previously been considered blocked off by browser sandboxing.
For now, there's no sign this specific method has shown up in the wild — it's still confined to the lab. But Check Point's Eli Smadja put it bluntly: the assumption that AI models will simply refuse obviously malicious prompts isn't holding up anymore. The next dangerous technique, he says, might not come from a human researcher at all — it might come from an AI that got lucky. His advice to companies is simple: stop treating browser permission prompts as a formality and start treating them as an actual security decision.
The attack currently only works on Chromium-based browsers — Chrome and its relatives — on Windows and Android, since it relies on that one specific API.