SafeBreach's Or Yair has demonstrated Fake Context Alignment, a technique that hijacks Google Gemini's voice assistant on Android through malicious notifications from apps like WhatsApp and Slack - no malicious app on the phone required. Gemini's Utilities feature reads and acts on notification text as if it were instructions, an attack surface Yair calls 'effectively infinite.' The bypass runs two illusions at once: it poses the real authorization question in a language the victim does not speak, defeating Google's post-Invitation prompt-injection mitigations. It can fake a boss's message, open windows, force a Zoom call, or poison long-term memory. Google has patched it; no CVE was assigned.
Sophos has detailed a threat actor using an AI-assisted ransomware toolkit that automates Active Directory discovery and EDR evasion. Tool and payload development was aided by Cursor and Claude Opus agents across coding, analysis, and revision, with some agents tasked to scrape security-research posts for fresh bypass techniques; resulting malware was tested in VMs against Sophos, CrowdStrike, and Microsoft EDR. The framework includes Cobalt Strike profiles mimicking legitimate web traffic, a Telegram-bot C2, Python shellcode injectors preserving host-binary functionality, and a Cloudflare Worker front-end redirector. Despite the AI orchestration, the workflow is entirely human-driven. Operator logs and a ransomware-leak-site reference confirmed criminal, not red-team, use.
Krebs on Security reports that attackers social-engineered Meta's newly-deployed conversational AI account-recovery assistant to hijack high-value, short Instagram handles allegedly worth over half a million dollars. Meta had rolled out the AI layer to reduce friction in common recovery workflows - relinking emails, triggering password resets, verifying ownership - that previously required weeks of back-and-forth with automated ticketing. Just as human support staff can be tricked into granting unauthorized access, the AI assistant proved equally eager to help and vulnerable to manipulation. Meta pushed an emergency patch over the weekend and says no back-end database was breached. Critically, the exploit failed against any account with MFA enabled.
Permiso Security has disclosed ChatGPhish, a vulnerability in OpenAI ChatGPT that abuses the assistant's implicit trust in Markdown links and images sourced from third-party pages it has just summarized. The chatgpt.com response renderer auto-fetches those images and surfaces the links as live clickable elements inside the trusted assistant UI. An attacker who appends a small payload to any web page a victim later asks ChatGPT to summarize can leak the victim's IP, User-Agent, and Referer via attacker-hosted images, render fake system-style security alerts, plant malicious clickable links, and serve a QR code from an S3 bucket to bypass desktop URL filters via the victim's phone.
Microsoft has warned of an active cryptojacking campaign that surfaces malicious download sites through AI chatbot recommendations, extending SEO poisoning beyond conventional search. Attackers impersonate legitimate system utilities - CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, PDFgear - to target users with high-performance GPUs, prioritizing mining yield per host over mass infection. Beyond mining, the operators deploy ScreenConnect for persistent remote access enabling data theft, lateral movement, or ransomware. Victims who ask LLM-based tools for software-download recommendations are served links to attacker domains on subdomains of gleeze[.]com, hosted via Dynu dynamic DNS. Microsoft says it has detected and blocked the activity.