Invisible Prompts Turn AI Summaries into Attack Vectors

Note: Welcome to post #1 of Forcepoint’s 2026 Future Insights series, where we discuss topics shaping the future of cybersecurity.

###

Late last year, Forcepoint X-Labs researchers began noticing a peculiar pattern in telemetry from recent ClickFix detections. A series of short-lived domains, many active for less than a day, appeared and disappeared across networks. Unlike the noisy fake browser updates and phishing ZIP files seen in the early Windows ClickFix variants covered in X-Labs’ Lumma Stealer and Rhadamanthys research, these new pages were almost invisible.

The HTML looked harmless at first, but deeper inspection uncovered strings of white-on-white characters and zero-width spaces. This hidden text was invisible to users but fully readable to large language models, revealing a new kind of attack that targeted the AI interpreting the content rather than the person viewing it.

That realization marked a turning point. ClickFix was no longer trying to trick people. It was going after the summarizer itself, reshaping the output that users would trust without a second thought.

When the Summarizer Becomes the Target

AI summarizers like Copilot, Gemini, and ChatGPT have quietly embedded themselves in enterprise workflows. They digest reports, emails and web pages, delivering concise outputs users trust without question. But this reliance creates a subtle vulnerability.

ClickFix abuses that trust.

The earliest forms of ClickFix, including those documented in X-Labs analysis of the Odyssey Stealer macOS campaign, depended on human interaction. Victims were tricked into pasting PowerShell commands or clicking invisible buttons behind CAPTCHAs and fake verification screens.

The new CSS-based ClickFix takes that deception a step further by manipulating AI interpretation. When a poisoned web page is summarized, invisible CSS elements or zero-width characters embed hidden prompts within the page. The LLM reads these cues as part of its instructions, producing a summary that includes encoded links or snippets of executable text.

To the human reader, the output looks authentic. The model simply followed orders. And in doing so, it has turned trust itself into the attack vector. The deeper lesson is clear: if an AI can read everything, it can also be deceived by anything.

Telemetry in Motion

Forcepoint’s global telemetry paints a picture of an attack still in its testing phase. Over a 90-day period, ClickFix-related domains appeared in short bursts before disappearing within hours. Activity clusters emerged across North America, Western Europe and Southeast Asia, regions with the highest enterprise AI adoption.

Early samples carried payloads tied to the aforementioned Rhadmanthys, plus others like DarkGate and Poseidon, which all use invisible prompts to bypass security filters. These bursts resemble reconnaissance activity seen before major campaigns such as Odyssey Stealer and Lumma Stealer—short, targeted and highly adaptive. Attackers are testing how summarizers process malicious text and which prompts can evade detection.

A More Recent Example Explained

The most striking real-world example observed by X-Labs researchers involved a Booking.com impersonation campaign hosted at 
hxxps://booking.com-reactivate[.]de/uri.html.

At first glance, the page displayed a simple CAPTCHA prompt claiming to verify the user’s session. But the moment victims interacted with the page, a series of scripted instructions appeared—each directing them to perform local system actions. Behind the scenes, hidden JavaScript collected data and prepared to drop an obfuscated payload once those steps were completed. 

Fig. 1 - Fake CAPTCHA page

After clicking the CAPTCHA, the victim was guided through several seemingly routine operations, such as copying commands to the clipboard or confirming “browser troubleshooting” steps. These actions were socially engineered to open local command interfaces (PowerShell on Windows, Terminal on macOS or shell on Linux) then to paste preloaded strings that executed the malicious payload. 

Fig. 2 - Post-CAPTCHA instructions

The dropped code, shown below, revealed heavy obfuscation and use of encoded strings that unfolded into a downloader and credential-stealer when executed. 

Fig. 3 - Obfuscated code snippet

This multi-stage design combines classic ClickFix social engineering with AI-era manipulation. The visible CAPTCHA misleads users, while invisible payloads target summarizers or automated scanners reviewing the same content.

For context, this evolution aligns with patterns first explored in mass-market malicious updates research, where X-Labs highlighted how everyday tools and automation pipelines could become vectors for AI-assisted exploitation.

How Attackers Weaponize Hidden Language

Attackers have learned to communicate with AI systems in ways people cannot see. By embedding invisible instructions within web pages and documents, they can shape how language models interpret and summarize content.

In Forcepoint simulations, the same page produced one harmless summary and another containing embedded commands depending on how much concealed text the model processed. This shows how models can be manipulated through the very data they are meant to interpret.

ClickFix is not just a technical exploit but a linguistic one. It weaponizes the invisible layer of context that lives between syntax and semantics.

From Fake CAPTCHAs to Fake Conversations

ClickFix has evolved quickly since its early forms. In 2024, attackers used fake CAPTCHAs and update-now pages to trick users into pasting commands. By 2025, Forcepoint X-Labs saw similar tactics across Windows, macOS, and Linux disguised as fake Teams or Google Meet errors.

The AI-driven version reduces human involvement but does not remove it entirely. Hidden directives can influence summarizers or copilots, but the attacks X-Labs has observed still require users to complete certain actions such as clicking prompts, pasting copied commands or opening downloaded files for the payload to run.  

Proof-of-concept examples suggest that this interaction may decrease over time, but human participation is still a central part of the attack chain today.

Forcepoint expects this to evolve further in 2026. New versions will likely use base85, hexadecimal, or Unicode encoding to evade filters, and some are already impersonating brands to produce summaries that appear legitimate.

Threat intelligence indicates that APT28 and Lazarus are testing these AI-adaptive methods, pairing invisible prompt injections with credential theft and ransomware campaigns. Some mid-2025 Rhadmanthys and Lumma Stealer samples contained embedded prompt segments—early evidence of the ClickFix approach taking hold.

Even more concerning is the rise of self-adapting malware. Attackers are now using LLMs to regenerate payloads automatically when flagged by antivirus systems. Each detection teaches the adversary’s model how to rewrite the next variant.

Besides turning AI into an attack vector, the cybersecurity community is in an AI arms race, where attackers and defenders are weaponizing AI to outmaneuver one another.

Defending the Space Between Humans and Machines

Forcepoint’s goal is not to disable AI summarization but to help customers use it safely. That begins with reducing the chance that invisible prompts reach models and containing the data impact if they do.

Enterprises can apply content-hygiene controls such as stripping hidden CSS, normalizing Unicode, and rejecting untrusted HTML. Forcepoint Data Security Cloud, which integrates DSPM, DDR and DLP and CASB provides visibility into how AI tools interact with sensitive data and blocks risky behaviors in real time.

Even if an AI interface is manipulated, data remains visible, governed and under control. In an age where AI is both a tool and a target, security is no longer about blocking every exploit. It is about knowing when machines are being persuaded to act against their purpose.

A Glimpse Ahead

ClickFix began as a small trick hidden in a CAPTCHA page. It has become an attack language for the AI era, where invisible prompts and context poisoning exploit the systems that interpret information on our behalf.

As AI models become part of everyday business, these attacks will test the boundaries of what security teams can see. Code can be scanned, but meaning cannot. The future of cybersecurity will depend on understanding not only how data moves, but how intelligent systems reason using that data.

The focus is moving from protecting what humans click to protecting what machines comprehend. Visibility and governance must now reach into the linguistic and cognitive layers of AI itself.

Defending against this new generation of exploits will not simply mean stopping malware. It will mean preserving trust in the conversations between people and the machines that now speak for them.