Gemini Exposed to ASCII Smuggling Exploit Enabling Hidden Prompt Injection
FireTail researchers have discovered that Google’s Gemini AI remains vulnerable to ASCII Smuggling, an exploit that utilizes invisible Unicode control characters to conceal malicious commands within ordinary text. FireTail demonstrated that Gemini fails to sanitize these hidden “tag characters,” allowing attackers to manipulate prompts without visible alteration. In one test, a harmless-looking command “Tell me 5 random words” was secretly modified to instruct Gemini to output “FireTail,” exposing how invisible payloads can override user instructions. When embedded in enterprise environments, this flaw allows LLM-integrated systems to process malicious data without user consent or awareness, effectively bypassing human oversight. The attack exploits the discrepancy between what humans perceive in a user interface and what the LLM engine interprets, leveraging a display-layer weakness to create a security-critical vector. Beyond isolated prompt abuse, ASCII Smuggling poses serious risks for organizations using Gemini within Google Workspace, including automated identity spoofing and data poisoning. FireTail proved that attackers can manipulate calendar invites so that Gemini reads hidden organizer names, meeting details, or even implement malicious URLs and execute those instructions automatically, even before a user accepts the event. Similarly, attackers can inject invisible payloads into product reviews or emails to corrupt AI summaries and propagate scam links. While ChatGPT, Copilot, and Claude effectively sanitize inputs, Gemini, Grok, and DeepSeek remain vulnerable. Despite responsible disclosure to Google on September 18, 2025, no remediation has been issued, leaving enterprises vulnerable to exposure. FireTail has since deployed input-stream monitoring and Unicode tag detection to identify and neutralize these smuggled instructions, underscoring that raw data-layer visibility is crucial in defending against AI prompt manipulation attacks.
Mic-E-Mouse Attack Turns Optical Mice into Covert Eavesdropping Devices
Researchers have developed Mic-E-Mouse, a groundbreaking side-channel attack that transforms standard computer mice into makeshift microphones by exploiting the precision of modern optical sensors. These sensors, designed for high-speed tracking, can inadvertently capture acoustic vibrations transmitted through desks or work surfaces as users speak. By applying an advanced signal processing and machine learning pipeline, researchers reconstructed intelligible human speech from these vibrations, achieving an SI-SNR increase of +19dB, 80% speaker recognition accuracy, and a 16.79%-word error rate in human testing. The attack works across consumer-grade mice costing under $50, demonstrating that everyday peripherals can be repurposed into covert surveillance tools capable of capturing speech frequencies between 200Hz and 2000Hz, which is the core range of human conversation. Attackers could deploy this technique through compromised or seemingly benign software, including creative applications or video games that naturally handle high-frequency mouse data. Once embedded, the exploit silently captures raw motion packets during everyday use and exfiltrates them via existing networking functions, such as in-game telemetry systems. All subsequent signal reconstruction occurs offline, leaving no signs of compromise on the victim’s device. As high-performance optical sensors become cheaper and more widespread, this attack surface will continue to grow across consumer, corporate, and government environments. To mitigate the risk, organizations should restrict raw device telemetry access, sandbox applications that request high-frequency sensor data, and monitor for unusual data transfer patterns linked to input devices.
Shuyal Stealer Expands Browser Targeting for Credential Theft
Researchers have identified Shuyal Stealer, a powerful and highly invasive infostealer that breaks from conventional browser-focused malware by targeting 19 different browsers, including Chrome, Edge, Brave, Tor, and Vivaldi. Developed in 64-bit C++, it conducts deep system profiling through Windows Management Instrumentation (WMI) commands to extract disk drive specifications, input device IDs, and display configurations. Beyond credential theft, it captures screenshots, clipboard contents, and Discord tokens, funneling everything to attackers through a Telegram Bot API channel. Its infection chain utilizes PowerShell to compress stolen data into a “runtime[.]zip” archive, which is exfiltrated to the attacker’s chat. This is followed by the execution of a batch file to delete traces and disable Task Manager through registry modifications. By permanently setting the DisableTaskMgr value to 1, Shuyal prevents manual termination, allowing it to persist undetected. Shuyal’s persistence is reinforced by copying itself into the Windows Startup folder using the CopyFileA API, guaranteeing execution on every reboot. The malware runs SQL queries against browser-stored databases to extract URLs, usernames, and encrypted passwords, expanding its credential theft capabilities across both mainstream and lesser-known browsers. It also generates detailed logs in “history[.]txt” and “tokens[.]txt,” recording browser scan activity and stolen authentication data. Once exfiltration is complete, the malware executes a self-deletion script to erase all residual artifacts, thereby minimizing the likelihood of forensic recovery. Shuyal Stealer’s extensive browser coverage, deep reconnaissance, and advanced evasion tactics make it one of the most dangerous infostealers in circulation. Defenders should enforce script execution restrictions, monitor PowerShell and WMI activity, and deploy behavioral detection to identify anomalies indicative of Shuyal’s operations.
