Jedi mind trick turned against AI-based malware scanners: The “Skynet” malware, discovered in June 2025, featured an attempted prompt injection against AI-powered security tools. The technique was designed to manipulate AI malware analysis systems into falsely declaring no malware was detected in a sample through a form of “Jedi mind trick.”Researchers at Check Point reckon the malware was most likely a proof-of-concept experiment by malware developers.”We’ve already seen proof-of-concept attacks where malicious prompts are hidden inside documents, macros, or configuration files to trick AI systems into exfiltrating data or executing unintended actions,” Stratascale’s Rhoads-Herrera commented. “Researchers have also demonstrated how LLMs can be misled through hidden instructions in code comments or metadata, showing the same principle at work.”Rhoads-Herrera added: “While some of these remain research-driven, the techniques are quickly moving into the hands of attackers who are skilled at weaponizing proof-of-concepts.”
Under the radar: Ensar Seker, CISO at threat intelligence vendor SOCRadar, described the abuse of gen AI systems through prompt injection as an evolution in malware delivery tactics.”It’s not just about dropping a payload anymore; it’s about crafting dynamic instructions that can manipulate behavior at runtime, and then hiding or encoding those instructions so they evade traditional scanning tools,” Seker said.Jason Keirstead, VP of security strategy at security operations firm Simbian AI, said that many prompt injection attacks against gen AI systems are going under the radar.”For example, people are putting malicious prompts in resumes they upload to recruitment sites, causing the AIs used in job portals to surface their resume at the top,” Keirstead explained. “We also have recently seen the malicious prompts that targeted the Comet browser, etc.”
Stealthy and systemic threat: Dorian GranoÅ¡a, lead red team data scientist at AI security specialists SplxAI, said that prompt injection has become a “stealthy and systemic threat” In real-world deployments tested by the firm.”Attackers conceal instructions via ultra-small fonts, background-matched text, ASCII smuggling using Unicode Tags, macros that inject payloads at parsing time, and even file metadata (e.g., DOCX custom properties, PDF/XMP, EXIF),” GranoÅ¡a explained. “These vectors evade human review yet are fully parsed and executed by LLMs, enabling indirect prompt injection.”
Countermeasures: Justin Endres, head of data security at cybersecurity vendor Seclore, argued that security leaders can’t rely on legacy tools alone to defend against malicious prompts that turn “everyday files into Trojan horses for AI systems.””[Security leaders] need layered defenses that sanitize content before it ever reaches an AI parser, enforce strict guardrails around model inputs, and keep humans in the loop for critical workflows,” Endres advised. “Otherwise, attackers will be the ones writing the prompts that shape your AI’s behavior.”Defending against these types of attacks involves a combination of technical defense procedures and policy controls, such as:
Perform deep inspection of any file that enters an enterprise environment, especially from untrusted sources. “Use sandboxing, static analysis, and behavioral simulation tools to see what the macros or embedded prompts actually do before opening,” SOCRadar’s Seker advised.Implement policies that isolate macro execution, for example, application sandboxing or Microsoft’s protected view.Evaluate content disarm and reconstruction (CDR) tools. “CDR rebuilds files without active content, neutralizing embedded threats,” SOCRadar’s Seker explained. “This is especially effective for PDFs, Office files, and other structured documents.”Sanitize any input (prompts) into generative AI systems.Design AI systems to include a “verification” component that reviews inputs and applies guardrails.Apply clear protocols for validating AI outputs.The most effective countermeasures come down to visibility, governance, and guardrails, according to Stratascale’s Rhoads-Herrera.SOCRadar’s Seker argued that enterprises should treat AI pipelines the same way they handle CI/CD pipelines by extending zero-trust principles into their data parsing and AI workflows. In practice this means introducing guardrails, enforcing output verification, and using contextual filters to block unauthorized instructions from being executed or acted on by LLM-based systems.”I strongly encourage CISOs and red teams to begin testing AI-enabled workflows against adversarial prompts today, before threat actors make this mainstream,” Seker concluded.
Countermeasures: Justin Endres, head of data security at cybersecurity vendor Seclore, argued that security leaders can’t rely on legacy tools alone to defend against malicious prompts that turn “everyday files into Trojan horses for AI systems.””[Security leaders] need layered defenses that sanitize content before it ever reaches an AI parser, enforce strict guardrails around model inputs, and keep humans in the loop for critical workflows,” Endres advised. “Otherwise, attackers will be the ones writing the prompts that shape your AI’s behavior.”Defending against these types of attacks involves a combination of technical defense procedures and policy controls, such as:
Perform deep inspection of any file that enters an enterprise environment, especially from untrusted sources. “Use sandboxing, static analysis, and behavioral simulation tools to see what the macros or embedded prompts actually do before opening,” SOCRadar’s Seker advised.Implement policies that isolate macro execution, for example, application sandboxing or Microsoft’s protected view.Evaluate content disarm and reconstruction (CDR) tools. “CDR rebuilds files without active content, neutralizing embedded threats,” SOCRadar’s Seker explained. “This is especially effective for PDFs, Office files, and other structured documents.”Sanitize any input (prompts) into generative AI systems.Design AI systems to include a “verification” component that reviews inputs and applies guardrails.Apply clear protocols for validating AI outputs.The most effective countermeasures come down to visibility, governance, and guardrails, according to Stratascale’s Rhoads-Herrera.SOCRadar’s Seker argued that enterprises should treat AI pipelines the same way they handle CI/CD pipelines by extending zero-trust principles into their data parsing and AI workflows. In practice this means introducing guardrails, enforcing output verification, and using contextual filters to block unauthorized instructions from being executed or acted on by LLM-based systems.”I strongly encourage CISOs and red teams to begin testing AI-enabled workflows against adversarial prompts today, before threat actors make this mainstream,” Seker concluded.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4053107/ai-prompt-injection-gets-real-with-macros-the-latest-hidden-threat.html
