Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

AI-Generated Browser Ransomware Abuses Chromium API on Windows and Android

The Hacker News by The Hacker News
July 1, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Cybersecurity researchers have flagged a new malware artifact generated using DeepSeek that constructed a novel attack path combining “unrealistic browser-malware concepts with a real browser capability” to turn it into a working ransomware technique that runs entirely inside the browser on both Windows and Android devices.

“This is the first documented case where a frontier AI model independently bridged the gap between a theoretical browser-only ransomware risk and a practical, working attack chain – surfacing a novel attack path that defenders had previously dismissed as unfeasible due to browser sandboxing limits,” Check Point said in a statement shared with The Hacker News.

“The expertise needed to discover a new attack path is no longer the bottleneck, and defenders need to account for that shift now — before threat actors operationalize it at scale.”

The identified sample is a Python Flask application named “deepseek_python_20260125_da0631.py” that was uploaded to VirusTotal on January 25, 2026, with the Google-owned malware scanning service describing it as a “fully functional information stealer and ransomware toolkit.” It has been named InfernoGrabber v9.0 by the malware author.

The application is designed to operate as a malicious web server that lures victims with a fake Discord avatar AI upscaler, while stealthily running a wide array of harmful actions, including stealing Discord tokens, harvesting credit card numbers and cryptocurrency seed phrases, logging keystrokes, and capturing unauthorized webcam and microphone feeds.

“The code includes specific routines for browser exploitation (targeting CVEs like CVE-2023-4863), data exfiltration via a hard-coded Discord webhook, a ransomware ‘WinLocker’ screen demanding Bitcoin, and an administrative dashboard for the attacker to manage stolen data,” according to VirusTotal.

The findings come as artificial intelligence and large language models (LLMs) are redefining the cyber threat landscape, enabling threat actors to abuse the technology to develop malware and exploits. The use of DeepSeek is noteworthy as it signals that the Chinese company’s models have lower refusal rates for malicious cyber requests when compared to its Western counterparts from Anthropic, Google, or OpenAI.

Other factors that may have facilitated the use of DeepSeek is its free access via the web interface, availability in regions where other frontier models do not operate, and its ability to generate a working malicious application from a “single broad prompt” as opposed to models from Anthropic or OpenAI.

“DeepSeek models can turn high‑level malicious ideas into concrete, complete attacks with less expertise than competing platforms,” Check Point Research said.

The Israeli cybersecurity company said it unearthed the Python artifact as part of its analysis of about 3,000 files attributed to DeepSeek over the past year. Of these, 1,383 samples have been classified as malicious or dangerous. The Python malware is an instance of what’s called In-Browser Ransomware that implements a browser-native technique not encountered in real-world campaigns in the past. The exact prompt that was used to produce the sample is unknown.

The attack technique entails using a phishing decoy to trick a user into granting file system access to a web page, which then enumerates local files in the selected folder, reads and exfiltrates their contents, encrypts and overwrites them, and finally displays an extortion note to the victim. What makes this more unusual is that all of this can be accomplished without installing a native payload, exploiting a browser vulnerability, or requiring root access.

It’s worth mentioning here that the approach is limited to web browsers that expose the picker-based File System Access API. This includes Google Chrome and other Chromium-based browsers across Windows and Android operating systems. There is no evidence that the browser-native ransomware pattern has been abused in the wild.

Another troubling aspect of AI-assisted development is that it not only lowers the barrier for bad actors to generate offensive code, but also the fact that they do not even need to know such a file system access API exists in the first place, or have the technical expertise to abuse it.

Put differently, entering an overly broad prompt is enough for an LLM – subject to guardrails, or lack thereof — to formulate a working attack blueprint from an abstract malicious request. When a user with limited technical understanding outlines unrealistic requirements, the model, in its quest to satisfy them, can generate hallucinated outcomes, surfacing unusual techniques in the process.

“What we are witnessing is a fundamental shift in how novel cyber attacks are born. For the first time, we have evidence that an AI model can independently reason across legitimate platform features and surface a working attack technique that humans had only theorised about – without the attacker ever knowing the underlying API existed,” Eli Smadja, head of research at Check Point Research, said in a statement.

“The barrier to operationalizing complex attacks is collapsing, and that has profound implications for every organisation embedding AI into its workflows, and for every mobile user who now carries their entire personal and professional life inside a photo library. The future of AI security cannot rest on hoping models refuse the obvious malicious request; it must assume that the next attack technique will be discovered not by a human researcher, but by an AI hallucination that accidentally got one thing right.”

Smadja is also urging organizations to prepare by hardening the delivery layer, rethinking permission-based trust, and treating every browser prompt as a security decision.



Source link

The Hacker News

The Hacker News

Next Post
Kyndryl Partners with Microsoft to Expand Sovereignty Solutioning

Kyndryl Partners with Microsoft to Expand Sovereignty Solutioning

Recommended.

European Privacy Group Sues TikTok and AliExpress for Illicit Data Transfers to China

European Privacy Group Sues TikTok and AliExpress for Illicit Data Transfers to China

January 17, 2025
These Democrats Think the Party Needs AI to Win Elections

These Democrats Think the Party Needs AI to Win Elections

August 6, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
OpenTable Launches All-in-One Marketplace for Private and Group Dining

OpenTable Launches All-in-One Marketplace for Private and Group Dining

September 16, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio