Ransomware in Your Summary? New Attack Weaponizes AI Assistants

CloudSEK researchers have uncovered a new attack vector, dubbed ClickFix, which exploits invisible prompt injection and the prompt overdose technique to compromise automated AI summarization systems. The essence of the method lies in concealing step-by-step attacker instructions within HTML content through CSS obfuscation—rendering them invisible to the human eye yet fully legible to language models. When such a document, email, or webpage enters an automated summarization pipeline, the AI generates an output already laced with the attacker’s commands, often masquerading as instructions to install or launch ransomware.

The attack leverages CSS obfuscation techniques such as zero font size, white text on a white background, zero-width spaces, off-screen positioning, and container transparency via opacity: 0. These tricks allow malicious directives to be hidden from human readers while remaining entirely visible to the AI. Attackers further employ prompt overdose—duplicating the malicious text dozens of times to displace legitimate content from the model’s context window, ensuring the summarizer reproduces only the attacker’s instructions.

Repetition, however, is not the only weapon. Hidden directives are also embedded as invisible blocks, explicitly instructing the summarizer to disregard all other content and output only the section marked as “summaryReference.” These directives are repeated multiple times to amplify their weight in the model’s processing. The result is a dual effect: contextual dominance through relentless duplication of the payload, and behavioral manipulation through direct commands to the AI on how to construct its output.

In their proof-of-concept, researchers crafted an HTML document containing two layers of content: visible text resembling a blog post or research article, and hidden blocks with concealed instructions. These invisible sections contained Base64-encoded PowerShell commands, such as:

powershell.exe -enc d2hvYW1p

While harmless in the demonstration, such code could easily be replaced in real-world scenarios with commands to deploy ransomware or other malware. The malicious block was duplicated dozens of times, ensuring it became the model’s dominant source of content.

During testing, summarizers that processed the poisoned document generated “recommendations” instructing users to execute commands via the Windows Run dialog—essentially serving as relays for malicious payload delivery. In most cases, the final output consisted entirely of attacker-supplied steps, though occasionally fragments of the original visible text remained. In one instance, alongside the PowerShell execution directive, the summary included an unrelated sentence about “neuromuscular signals and immune response research,” highlighting the hidden directive’s strong influence, though not absolute dominance.

To test its universality, researchers extended the attack to not only popular commercial services but also their own browser extension with built-in summarization. The results were identical: the embedded AI tool dutifully read hidden blocks and reproduced the malicious commands in full. This confirmed that the vulnerability is vendor-agnostic and can affect any application that processes HTML content without sanitization.

The scalability of the attack poses particular danger. Adversaries can mass-publish “poisoned” pages, promoting them through SEO, aggregators, blogs, forums, and social media. Once such content is indexed by search engines, email previews, newsletters, or browser assistants, summarizers begin propagating malicious instructions across countless channels—email, push notifications, and auto-previews. A single compromised post can thus evolve into a multivector delivery system for attacker commands.

The threat becomes especially acute for corporate ecosystems, where AI assistants, mail gateways, CMS platforms, and ticketing systems increasingly rely on automated summarization to accelerate document and request handling. If poisoned external content enters these systems, attacker instructions may surface in trusted reports, tickets, or summaries, masquerading as legitimate recommendations and greatly increasing the likelihood of execution by employees.

The report warns that this technique could soon be commoditized. Based on the methods observed, one can envision the emergence of Summarizer Exploitation Kits—parallels to RaaS—that would allow cybercriminals to automate the creation and distribution of poisoned content.

Experts highlight several critical countermeasures:

• HTML sanitization: automatic removal of elements with suspicious CSS properties (e.g., opacity: 0, font-size: 0, white-on-white text, zero-width characters) before passing content to summarizers.
• Prompt filtering: detection of hidden directives targeting model behavior, including instructions to “ignore text” or symptoms of prompt overdose.
• Payload analysis: recognition of ClickFix patterns, Base64 payloads, PowerShell launch commands, and other ransomware indicators using heuristic detection and decoding.
• Context balancing: reducing the weight of repeated blocks at the token level to prevent them from overwhelming visible content.
• User experience safeguards: flagging interface warnings when summaries contain instructions originating from hidden document sections, and blocking or alerting users if malicious steps are detected.
• Corporate policy enforcement: scanning all uploaded materials in DMS, CMS, and mail gateways for CSS obfuscation and invisible directives.

The authors caution that ransomware operators and other advanced groups could swiftly adopt this technique, integrating it into existing attack chains. Combined, invisible prompt injection and prompt overdose transform AI summarizers into potent command delivery channels—where instructions remain invisible to humans, yet starkly visible and faithfully executed by AI.