Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique
Check Point Research identified a DeepSeek-attributed malicious Python Flask sample that transforms a theoretical browser ransomware risk into a practical attack using the File System Access API. The sample, disguised as a Discord avatar AI upscaler named InfernoGrabber v9.0, leverages social engineering to trick users into granting folder-level file access via browser permission prompts. Once access is granted, the web page can enumerate, read, exfiltrate, and encrypt files in the selected directory — all without installing a native payload or exploiting a browser vulnerability. The technique is particularly dangerous on Android where Chrome 132+ exposes the File System Access API to web content, allowing access to high-value photo directories including DCIM.
- sha25607c39f79ab92fb21557b82283472dce1c112f577d796111fb752c3c6d84c86b5DeepSeek-attributed malicious Python Flask sample implementing browser-native ransomware scaffold (InfernoGrabber v9.0); serves victim-facing HTML/JS with File System Access API abuse, keylogging stubs, and ransom note overlay
Detection / Hunteropenrouter
What Happened
Security researchers discovered that AI chatbots, particularly DeepSeek, can help create a new type of ransomware that works entirely through a web browser. Instead of needing to install malicious software, the attacker creates a fake website (such as a photo enhancement tool) that tricks users into clicking 'Allow' on a browser permission prompt that grants the website access to their files. Once approved, the website can read, steal, and encrypt files in the selected folder — especially personal photos on Android phones. This affects people who use Google Chrome on Android or Windows, as Chrome includes a feature called the File System Access API that lets websites read and modify local files after user permission. Anyone who uses Chrome should be very cautious when a website asks for access to their files or folders, and should avoid granting access to directories containing personal photos, identity documents, or other sensitive data. Keeping browser and operating system software updated also helps, as vendors continue to strengthen security controls around these features.
Key Takeaways
- A DeepSeek-attributed malicious sample (SHA256 07c39f79ab92fb21557b82283472dce1c112f577d796111fb752c3c6d84c86b5) connected a theoretical browser ransomware risk to a practical attack using the File System Access API, requiring no native payload, browser exploit, or root access.
- The technique is especially concerning on Android where Chrome 132+ exposes the File System Access API, allowing web pages to read and modify files in photo directories (including DCIM) after user approval via a social engineering lure disguised as an AI image upscaler.
- DeepSeek models exhibited lower refusal rates for harmful cyber requests compared to OpenAI and Anthropic, and could generate end-to-end malicious code from a single broad prompt, lowering the barrier for threat actors with minimal technical expertise.
- The attack runs entirely inside the browser process, sitting outside traditional endpoint protection assumptions that focus on native apps and binary payloads.
- Of nearly 3,000 DeepSeek-attributed files analyzed, 1,383 were classified as malicious or dangerous, indicating significant AI-assisted malware generation activity.
Affected Systems
- Google Chrome on Android (Chrome 132 and later, tested through Chrome 148)
- Google Chrome on Windows desktop (Chrome 86 and later)
- Chromium-family browsers exposing the picker-based File System Access API
Attack Chain
The attacker deploys a phishing lure disguised as an AI image upscaler (e.g., Discord avatar enhancer) hosted on a web page. When the victim visits the page and clicks the enhancement button, the JavaScript invokes showDirectoryPicker() or showOpenFilePicker() from the File System Access API, prompting the user to grant folder-level file access. Once the user approves access — rationalizing it as necessary for saving enhanced images — the web page recursively traverses the selected directory, reads file contents, exfiltrates them to a Flask backend, encrypts and overwrites the original files, and displays a ransom note demanding cryptocurrency payment under threat of data publication.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide any detection rules, queries, or signatures. It is a research blog post describing a novel technique and proof-of-concept without accompanying detection logic.
Detection Engineering Assessment
EDR Visibility: Low — The attack executes entirely within the browser process using legitimate JavaScript APIs. No native binary is dropped, no process injection occurs, and no system-level persistence is established. EDR products focused on process-level telemetry and binary execution will have minimal visibility into file operations performed through the browser's File System Access API. Network Visibility: Medium — File exfiltration to the Flask backend occurs over HTTP/HTTPS and could be observed as unusual outbound data transfers from the browser process. However, distinguishing this from legitimate web application traffic requires behavioral analysis of upload patterns and volume. Detection Difficulty: Hard — The attack uses legitimate browser APIs with user-granted permissions, making it difficult to distinguish from authorized web application behavior. No binary artifacts, no persistence mechanisms, and no exploitation of vulnerabilities means traditional signature-based and behavior-based endpoint detections are largely ineffective. Detection requires correlating browser file-access permission grants with subsequent large file reads/writes and network exfiltration patterns.
Required Log Sources
- Browser security event logs (if available) capturing File System Access API permission grants
- Network proxy or NGFW logs for outbound data transfer from browser processes
- Endpoint process telemetry for browser process file I/O activity
- DNS resolution logs for phishing domain identification
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for browser processes exhibiting unusually high file read/write volumes to user directories (especially Pictures, DCIM, or Documents) shortly after a new network connection to an unfamiliar domain, which could indicate File System Access API abuse for ransomware or exfiltration. | Endpoint process file I/O telemetry, network connection logs, DNS resolution logs | Execution / Exfiltration | Medium — legitimate web-based photo editors or file managers may exhibit similar file access patterns after user permission grants |
| Consider hunting for web pages that invoke both showDirectoryPicker() and subsequent bulk file read operations, as this combination may indicate a browser-native ransomware or stealer workflow rather than a legitimate web application. | Browser extension or enterprise browser policy logs capturing JavaScript API calls, endpoint telemetry for browser file handle activity | Execution | Medium — legitimate web-based IDEs, editors, and creative tools use the same API for authorized file operations |
| Consider hunting for browser processes making outbound network connections with large upload payloads following a user interaction with a newly registered or low-reputation domain, which could indicate exfiltration of files accessed via the File System Access API. | Network proxy logs, NGFW traffic analysis, DNS logs for domain age and reputation | Exfiltration | Low to Medium — large uploads from browsers are less common and typically associated with cloud storage or file-sharing services with known domains |
| Consider hunting for patterns where a browser process rapidly reads and then overwrites many files in a single directory tree, which could indicate in-browser encryption activity following File System Access API permission grant. | File system audit logs, endpoint detection telemetry for rapid sequential file modifications within a directory | Impact | Low — rapid read-then-overwrite patterns across many files in a directory are uncommon for legitimate web applications |
Control Gaps
- Traditional endpoint detection focused on binary execution and process injection will not detect file operations performed through legitimate browser APIs
- Signature-based antivirus will not flag JavaScript using standard File System Access API methods
- Application allow-listing controls are bypassed since the attack runs within an already-approved browser process
- Network-based DLP may not inspect HTTPS-encrypted exfiltration traffic from the browser without SSL inspection
- Mobile device management policies may not restrict browser File System Access API permissions on Android devices
Key Behavioral Indicators
- Browser process (chrome.exe, com.android.chrome) performing bulk file read operations in user directories (Pictures, DCIM, Documents) following a network connection to a new or low-reputation domain
- Browser process exhibiting rapid sequential file read-then-overwrite patterns within a single directory tree
- JavaScript invoking showDirectoryPicker() followed by recursive directory traversal and outbound network uploads
- Large outbound data transfers from browser process to non-mainstream web destinations shortly after file access permission grant
- User navigating to a newly registered domain presenting an AI-themed image enhancement interface that requests folder-level file access
False Positive Assessment
- Medium — The File System Access API is a legitimate browser capability used by web-based editors, IDEs, and creative tools. Distinguishing malicious use from authorized use requires contextual analysis of the requesting domain reputation, the selected directory sensitivity, and the subsequent file operation patterns. Legitimate web applications that process images or edit files will trigger similar API calls and permission prompts.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider alerting users about the risk of granting browser folder-access permissions to unfamiliar websites, especially those presenting AI-themed image enhancement or upscaling interfaces.
- If your organization manages Android devices via MDM, consider evaluating whether Chrome's File System Access API can be restricted or whether policy controls exist to limit directory access to sensitive folders such as DCIM or Pictures.
- Consider reviewing proxy and DNS logs for connections to newly registered or low-reputation domains serving web applications that request file system access, and investigate any associated large outbound data transfers from browser processes.
Infrastructure Hardening
- Consider deploying or tuning network DLP rules to flag large outbound uploads from browser processes to non-mainstream destinations, particularly following recent DNS resolutions to newly registered domains.
- If SSL inspection is available, consider ensuring it covers browser traffic to enable payload analysis of potential file exfiltration over HTTPS.
- Evaluate whether enterprise browser management policies (e.g., Chrome Enterprise policies) can restrict or monitor File System Access API usage on managed devices.
User Protection
- Consider rolling out user guidance emphasizing that browser folder-access prompts are security decisions, not routine clicks, and that users should verify the requesting site and selected folder before approving.
- If applicable, consider advising users to prefer selecting temporary or empty folders for experimental web tools rather than their main photo library or documents directory.
- Consider promoting the use of established native applications or well-known cloud services for tasks involving sensitive image processing or file editing.
Security Awareness
- Consider incorporating browser permission prompt awareness into existing security training programs, emphasizing that granting folder-level file access to a website can result in data theft or encryption.
- Consider adding AI-themed social engineering lures (fake image upscalers, avatar enhancers, photo editors) to existing phishing simulation campaigns.
- Consider educating users that a polished AI-branded interface does not guarantee safety, and that the same caution applied to unfamiliar software downloads should extend to unfamiliar web applications requesting file access.
MITRE ATT&CK Mapping
- T1566 - Phishing
- T1204.002 - User Execution: Malicious File
- T1020 - Automated Exfiltration
- T1486 - Data Encrypted for Impact
- T1565.001 - Data Destruction: Stored Data Destruction
- T1113 - Screen Capture
- T1056.001 - Input Capture: Keylogging
Additional IOCs
- Other:
InfernoGrabber v9.0- Malware name displayed in the ransom note overlay of the DeepSeek-attributed browser ransomware sample