New AI-Generated Ransomware Malware Emerges, Runs Inside Browsers on Windows and Android Devices
Researchers in the cybersecurity field have identified a new type of malware created using DeepSeek that has developed a unique method of attack by combining theoretical concepts with real browser capabilities. This innovative technique transforms into a functional ransomware method that operates solely within the browser on both Windows and Android platforms.
According to a statement from Check Point, this marks the first instance where an advanced AI model has successfully bridged the gap between a theoretical browser-only ransomware risk and an actual, operational attack chain. The discovery of this new attack path challenges previous assumptions that such attacks were not feasible due to browser sandboxing limitations.
The malware artifact, known as “InfernoGrabber” v9.0, is a Python Flask application named “deepseek_python_20260125_da0631.py.” It was uploaded to VirusTotal on January 25, 2026, and has been described as a fully functional information stealer and ransomware toolkit by the scanning service.
Upon analysis, it was found that the malware functions as a malicious web server disguised as a Discord avatar AI upscaler. It carries out a range of malicious activities, including stealing Discord tokens, collecting credit card details and cryptocurrency seed phrases, logging keystrokes, and accessing webcam and microphone feeds without permission.
The malware code contains specific routines for browser exploitation, data exfiltration through a Discord webhook, a ransomware screen demanding Bitcoin, and an administrative dashboard for managing stolen data.
Artificial intelligence and large language models have significantly impacted the cybersecurity landscape, allowing threat actors to leverage the technology for developing malware and exploits. The use of DeepSeek, in particular, highlights its effectiveness in generating malicious applications with lower refusal rates for cyber requests compared to other models from Western companies.
Check Point Research uncovered this Python artifact during an analysis of DeepSeek files, identifying it as an instance of In-Browser Ransomware that employs a browser-native technique previously unseen in real-world campaigns. The attack involves using a phishing decoy to gain file system access on a web page, enabling the encryption and extortion of files without the need for installing additional software or exploiting browser vulnerabilities.
While the attack method targets browsers that support the File System Access API, such as Google Chrome and Chromium-based browsers, there is no evidence of it being utilized in actual cyber attacks.
Testing confirmed the attack’s compatibility across various platforms, including Windows, macOS, Linux, and Android, but not on iOS. The wide reach of the attack surface underscores the potential impact on desktop and Android users.
AI-assisted development has lowered the barrier for threat actors to create offensive code, with models capable of generating functional malware based on broad, abstract prompts. This shift in attack techniques calls for organizations to strengthen their security measures and treat every browser prompt as a security decision.
As AI continues to shape the future of cybersecurity, organizations must adapt to the evolving threat landscape by enhancing their defenses and vigilance against emerging attack methods.
(This article has been updated to include additional insights from Check Point Research.)

