
Check Point Research Ransomware: AI-Generated InfernoGrabber Abuses Chromium API (July 2026)
Check Point Research: What Happened
Cybersecurity researchers at Check Point Research have confirmed the discovery of InfernoGrabber v9.0, a novel AI-generated browser ransomware. The malware, crafted using the DeepSeek AI model, operates entirely within Chromium-based browsers on both Windows and Android platforms. It abuses browser-native APIs to encrypt files and exfiltrate sensitive data, including Discord tokens, credit card information, and cryptocurrency seed phrases. Notably, no native payloads or exploitation of traditional browser vulnerabilities were required, marking a significant evolution in ransomware delivery.
Attack Vector & Technical Detail
InfernoGrabber v9.0 leverages the File System Access API, a legitimate browser feature, to access and encrypt files within directories the browser can reach. The malware is delivered as a malicious script, requiring only user interaction within the browser environment. It employs the DeepSeek AI model for code generation, lowering the technical barrier for attackers. Key IOCs include the script deepseek_python_20260125_da0631.py and the use of Discord webhooks for data exfiltration. MITRE tactics observed are TA0005 (Defense Evasion), TA0040 (Impact), TA0006 (Credential Access), TA0009 (Collection), and TA0011 (Command and Control). While CVE-2023-4863 is referenced, the attack does not exploit a vulnerability but rather abuses legitimate browser functionality.
Confirmed Impact
Although InfernoGrabber v9.0 has not yet been observed in active campaigns, its demonstrated capabilities include file encryption, keystroke logging, webcam and microphone capture, and the theft of sensitive credentials. The attack path is browser-native and cross-platform, affecting both Windows and Android users globally who utilize Chromium-based browsers. The ransomware displays ransom notes demanding Bitcoin payment. The technique poses significant regulatory and privacy risks, especially for organizations handling sensitive user data via browser-based workflows.
What This Means for Your Organization
This incident highlights a critical shift in ransomware tactics: the ability to execute impactful attacks entirely within the browser, bypassing traditional endpoint defenses. Organizations relying on Chromium-based browsers should review permissions for the File System Access API and restrict unnecessary access. Security teams must update browser security policies, monitor for suspicious script execution, and educate users about the risks of interacting with untrusted web content. Proactive controls at the browser and network layers are essential to mitigate this emerging threat vector.
Detection & Response
- Immediate: Audit and restrict browser permissions for the File System Access API on managed endpoints.
- Hunt: Search for execution or presence of deepseek_python_20260125_da0631.py and anomalous Discord webhook traffic.
- Patch: N/A – No patch available; mitigation is through browser configuration and user awareness.
Source: https://thehackernews.com/2026/07/ai-generated-browser-ransomware-abuses.html
Start Your 14-Day Free Trial
Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.
Get Started Free

