Hackers can transform artificial intelligence-powered summarization tools into unwitting delivery agents for ransomware instructions through hidden code and prompt manipulation, security researchers warn.
Threat actors can embed malicious payloads within seemingly benign web content using CSS-based obfuscation techniques, said digital risk management firm CloudSEK. The hidden instructions are invisible to human readers but are processed by AI summarization systems integrated into email clients, browser extensions and productivity platforms.
The attack uses what researchers call “prompt overdose,” a technique in which malicious instructions are repeated dozens of times within invisible HTML styled with properties such as zero opacity, white-on-white text, microscopic font sizes and off-screen positioning. When AI summarizers process this content, the repeated hidden text dominates the model’s attention mechanisms, pushing legitimate visible content aside.
“When processed by a summarizer, the repeated instructions typically dominate the model’s context, causing them to appear prominently – and often exclusively – in the generated summary.”
The method is an evolution of ClickFix, a social engineering tactic in which threat actors present users with fake error messages or troubleshooting steps to trick them into downloading malware. Cybercriminals have been quick to adapt the technique to fool large language models rather than humans (see: Agentic AI Browser an Easy Mark for Online Scammers).
The attack’s effectiveness stems from user reliance on AI-generated summaries for quick content triage, often replacing manual review of original materials. Testing showed that the technique works across AI platforms, including commercial services like Sider.ai and custom-built browser extensions.
Researchers also identified factors amplifying the attack’s potential impact. Summarizers integrated into widely-used applications could enable mass distribution of social engineering lures across millions of users. The technique could lower technical barriers for ransomware deployment by providing non-technical victims with detailed execution instructions disguised as legitimate troubleshooting advice.
The method also uses content distribution mechanisms like search engine optimization and social media syndication to transform single malicious posts into multi-vector campaigns. “Once published or distributed, this crafted content can be indexed by search engines, posted on forums, or sent directly to targets,” CloudSEK said.
CloudSEK’s testing showed consistent results, though researchers said there was some variability in model behavior. In most cases, summarizers produced clean instruction-only outputs containing the ClickFix payload. Occasionally, systems generated mixed outputs that included condensed versions of visible content alongside the malicious commands, though the targeted instructions were prominently featured.
“In certain instances, the summarizer appended a condensed version of the visible page text alongside the ClickFix payload,” the research said.
Organizations can implement defensive measures against these attacks, such as preprocessing HTML content to strip suspicious CSS attributes like zero opacity and microscopic fonts before feeding content to summarization systems and implementing prompt sanitizers that detect embedded meta-instructions.
Security teams should establish payload pattern recognition systems to identify common malicious command structures, including Base64-encoded binaries and known ransomware delivery commands, the report said.
