AI turns a malware hallucination into working browser-only ransomware

Researchers at Check Point have documented something unsettling in the AI security debate: an artificial intelligence model that stitched together a piece of malware nobody had actually built before. Analyst Alexey Bukhteyev found a malicious sample, attributed to the DeepSeek model, that turned a far-fetched request for an all-in-one browser virus into a working blueprint for ransomware that runs entirely inside a web browser, with no app to install and no exploit required.

What Check Point found

The team sifted through nearly 3,000 files linked to DeepSeek in public telemetry over the past year and, in the original report, flagged 1,383 of them as malicious or dangerous. One sample stood out (SHA256 07c39f79ab92fb21557b82283472dce1c112f577d796111fb752c3c6d84c86b5), a Python web application disguised as a Discord avatar AI upscaler that Check Point calls In-Browser Ransomware. Much of the sample is noise, an AI hallucination that promised keylogging, webcam capture, and crypto-wallet theft it could not really deliver from inside a browser. But buried in that noise was one idea that works.

How the attack works

The technique abuses the File System Access API, a legitimate feature modern Chrome exposes so web pages can read and write files after the user clicks Allow on a permission prompt. Dressed up as an AI photo-enhancement tool, a malicious page gives victims a believable reason to grant folder access. Once granted, the page can read the files in that folder, copy their contents to an attacker, encrypt and overwrite them, and then show a ransom note, all without a native payload or a browser bug. On Android, where Chrome exposes the same API and photo folders are a rich target, the risk is sharper than on iOS, which does not expose it.

The underlying danger was already known. The File System Access specification lists ransomware as a security consideration, and a 2023 USENIX paper studied browser-based file encryption. What is new, Check Point says, is that an AI model connected those documented pieces into a coherent attack a low-skilled operator could ask for in a single prompt. Check Point notes DeepSeek refused such requests far less consistently than models from Anthropic or OpenAI, which more often block the request or force it to be broken into benign-looking parts.

Why it matters

This is less about one flawed sample and more about a shift: frontier AI can lower the expertise needed to operationalize a novel attack chain by reasoning across knowledge a human would normally have to assemble by hand. It echoes earlier cases where attackers weaponized AI-hallucinated domains to poison software supply chains and where AI built a fake bank site to seize victims' PCs. Defenders should treat browser permission prompts as a genuine attack surface, scrutinize pages that request folder-level file access, and remind users that clicking Allow on a slick AI tool can quietly hand over their files.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions