Threat actors have found a new way to deliver ransomware by hiding malicious instructions in AI-generated content summaries. The target then executes a self-sabotaging command and is infected.
According to research by threat monitoring vendor CloudSEK, this is a new ClickFix social engineering proof-of-concept attack. The tactic is getting increasingly popular, with attackers displaying a call to action message instructing the target to execute self-sabotaging commands.
This time, though, the chosen method is unique. CloudSEK researchers say they found that a threat actor could craft content that would manipulate AI-generated text summaries into displaying malicious Windows Run commands.
“Threat actors hide malicious instructions in documents using CSS obfuscation and prompt overdose. This makes the code invisible to humans but fully readable to AI models,” Dharani Sanjaiy, CloudSEK’s vulnerability researcher, wrote in a blog post.
“When a user summarizes the content, the AI-generated output delivers the malicious payload, tricking the user into executing ransomware.”
The attack is achieved by embedding payloads within HTML content using CSS-based obfuscation methods, including zero-width characters, white-on-white text, tiny font rendering, and off-screen positioning, CloudSEK explained.
While invisible to human readers, these embedded prompts – crucially – remain fully interpretable by AI models. The payloads are repeated extensively within hidden sections, employing a “prompt overdose” strategy to dominate the model’s context window and steer output generation.
In other words, when malicious code is pasted repeatedly, AI models that view the content are overloaded and prioritize the payload in their summaries.
The end goal is seemingly to generate indirect ransomware lures which can turn an AI tool from a passive assistant into an active participant in the social engineering chain.
When such crafted content is indexed, shared, or emailed, any automated summarization process that ingests it will produce summaries containing attacker-controlled ClickFix instructions.
Of course, this significantly increases the risk of ransomware spreading, as recipients may execute the provided steps without realizing they originated from hidden malicious input rather than the visible source material.
What’s more, “once published or distributed, this crafted content can be indexed by search engines, posted on forums, or sent directly to targets,” said Sanjaiy.
The end goal is seemingly to generate “indirect ransomware lures” which can turn an AI tool “from a passive assistant into an active participant in the social engineering chain,” he added.
To combat the threat, CloudSEK advises organizations to ensure summarization tools preprocess HTML to normalize suspicious CSS attributes like those previously mentioned, to ensure AI tools use a prompt sanitizer before forwarding them to a summarizer, to implement payload pattern recognition, and to implement enterprise-level AI policy enforcement.
Your email address will not be published. Required fields are markedmarked