Hidden Prompt Attacks Exploit Google Gemini Summaries for Phishing
A security researcher has demonstrated a method to exploit Google Gemini in Workspace by embedding hidden instructions in emails, causing the AI to generate misleading summaries. The attack uses invisible text at the end of the email—styled with HTML and CSS to have zero font size and white color—so it's not visible to the recipient but still processed by Gemini. When the user requests a summary, Gemini unknowingly follows the embedded directive, potentially inserting fake warnings or instructions that appear to come from Google, including claims about a compromised password with a phone number for support. These messages don’t contain links or attachments, making them more likely to bypass spam filters and reach the inbox. Because Gemini is integrated into Google Workspace and perceived as a trusted tool, users may take the generated summary at face value, not realizing the attacker manipulated it. The vulnerability was reported through Mozilla’s 0din bug bounty program, and while similar prompt injection issues have been known since 2024, this technique shows they remain effective despite recent safeguards. The researcher emphasized that traditional detection methods might miss these emails since the harmful content is invisible to the human eye and doesn't include obvious threat indicators. To defend against this, security teams are advised to strip or sanitize hidden text from emails before Gemini processes them or apply filters that scan summaries for signs of urgency, contact info, or instructions. Google has responded by confirming they are working on mitigation steps, using red-teaming to train Gemini against adversarial inputs, though full protections are still being deployed. Users should remain cautious and avoid relying solely on Gemini for interpreting potentially sensitive or security-related messages.
CHM Malware Campaign Uses Fake Polish Bank Receipt to Deliver Hidden Payloads
Threat actors are abusing Microsoft Compiled HTML Help (CHM) files in a multi-stage malware campaign, with a recent case involving a file named deklaracja[.]chm uploaded from Poland. When opened, the file launches a decoy image posing as a Polish bank receipt while executing malicious code in the background. Inside the CHM container are several hidden elements: a heavily obfuscated HTML page, system files, a fake MP3 file containing a DLL payload, and the decoy image. The HTML file runs JavaScript designed to decode and execute further HTML, which creates an iframe for the image and uses an outdated HTML tag tied to Internet Explorer to force a download of the disguised MP3 file. It then exploits a legacy ActiveX control (hhctrl[.]ocx) to simulate user interaction, triggering a silent command-line sequence that searches temporary files, verifies the payload by file size, extracts it, and loads it using rundll32[.]exe. The extracted payload, a DLL named unt32[.]dll, is a downloader that uses obfuscated code and encrypted strings to avoid detection. It connects to a remote server and downloads another payload hidden inside a fake JPEG file referencing a well-known podcast. The downloader checks the file size, strips out the image portion, decrypts the embedded malware, and stores it locally under a fake system folder. It is then executed and made persistent using a COM-based scheduled task, ensuring it runs on startup. This campaign aligns with previous attacks tied to a Belarus-linked group, UNC1151 (also known as FrostyNeighbor), which has targeted multiple countries in Eastern Europe and other regions. The attackers are combining social engineering, outdated Windows components, and evasive techniques to bypass security tools and maintain access to compromised systems, all while keeping their activity hidden behind seemingly harmless documents and media files.
Update: Interlock Ransomware Adopts PHP-Based RAT in Evolving Campaigns
A newly uncovered PHP-based variant of the Interlock ransomware group’s remote access trojan (RAT) shows the group evolving its tactics to improve stealth and persistence on Windows systems. Tracked by researchers as part of the KongTuke or LandUpdate808 cluster, this campaign has been active since May 2025, leveraging compromised websites to deliver malware. The infection starts with a single-line script injected into site HTML, which uses strict IP filtering to target victims selectively. When triggered, the script tricks users into completing a fake captcha and then instructs them to paste a command into the Windows Run dialog, similar to the clickfix technique. This command executes a PowerShell script that silently downloads and runs the PHP-based RAT. Unlike earlier versions built on Node.js, the PHP variant is deployed using a mechanism called FileFix and occasionally hands off control to the older Node[.]js variant, depending on the target environment. Once installed, the RAT runs a PHP executable from the user’s AppData\Roaming folder, using suspicious command-line arguments and loading configuration files in non-standard formats. It quickly begins profiling the infected machine using PowerShell commands to collect data on system specs, running processes, services, connected drives, network details, and user privilege level. Interactive sessions have been observed where attackers manually run commands to pull Active Directory data, domain controller lists, and search for backup systems like Veeam. The malware uses Cloudflare Tunnel services (trycloudflare[.]com) for command and control, with hardcoded IP fallbacks to maintain communication. It supports a wide range of functionality including downloading and executing additional payloads, modifying the Windows registry for persistence, launching remote shell sessions, and terminating itself if needed. Lateral movement is achieved through RDP, and the campaign’s broad targeting across industries highlights a strategic shift in scope and capability. This evolution reflects the group’s growing sophistication and continued focus on evading detection using lesser-monitored scripting environments.
