AI Jailbreaks, Hacking Team Spyware, and the Million-Dollar Exploit That Wasn't

Show Notes

Today, we dive into critical AI browser vulnerabilities, including a trick that weaponizes the OpenAI Atlas omnibox, and analyze the spectacular flop of a promised $1 million WhatsApp exploit at Pwn2Own. Plus, we cover active exploitation of a critical Windows Server WSUS vulnerability and the shifting economics of ransomware.

Transcript

Welcome back to Cyber Scoops & Digital Shenanigans, the podcast dedicated to tracking the latest threats, trends, and tactical shifts in the digital landscape. I'm your host, Mike Housch.

We’ve got a packed show today, covering everything from highly-sophisticated nation-state espionage to the immediate, practical risks posed by the new generation of AI-powered web browsers. We’re also going to dissect the fascinating collapse of a highly anticipated $1 million exploit at the Pwn2Own contest, and look at why ransomware payments are finally dropping. Stay tuned, because the threats we discuss today demand immediate attention.

Let’s kick things off with a major headache for developers and users alike: prompt injection vulnerabilities in AI browsers.

OpenAI recently launched its Atlas web browser, which features built-in ChatGPT capabilities to help users with tasks like web page summarization and agentic functions. Sounds great, right? Well, security researchers have already found a critical flaw.

The problem centers on the Atlas omnibox—that combined address and search bar. A traditional browser knows the difference between a URL you want to visit and a command you’re searching for, but the Atlas omnibox accepts both URLs to visit and prompts to obey. Researchers at NeuralTrust discovered a technique where an attacker can disguise a malicious instruction, a prompt injection, to look like a URL.

This intentionally malformed URL, which might start with "https" and contain domain-like text, fails initial URL validation. Critically, when Atlas fails to validate it as a URL, it treats the input as a prompt to the AI agent but with elevated trust and fewer checks, because it originated from the omnibox which is considered high-trust "user intent".

The results are devastating. The embedded instructions can hijack the agent's behavior and enable silent jailbreaks. For instance, an attacker could place this disguised prompt behind a "Copy link" button. If the user pastes that link into the Atlas omnibox, the agent executes the instruction, potentially redirecting the user to an attacker-controlled phishing website. Even worse, a command could be hidden to execute destructive instructions, such as deleting files from connected applications like Google Drive, using the user’s authenticated session.

And this isn't just an OpenAI problem. Prompt injection is a "frontier, unsolved security problem" that the entire industry is grappling with. Perplexity Comet and Opera Neon have also been found susceptible. Threat actors can hide malicious instructions in web pages using tricks like white text on white backgrounds or CSS trickery, which the agent then parses and executes.

On a related front, we also saw the “Sneaky Mermaid” attack targeting Microsoft 365 Copilot. This was an indirect prompt injection attack that exploited Copilot's built-in support for Mermaid diagrams. An attacker could ask Copilot to summarize a specially crafted document containing a malicious payload. That payload could instruct the AI to fetch sensitive tenant data, like the user’s recent emails, hex encode the content, and then use the Mermaid diagram feature (which supports CSS) to exfiltrate that data to an attacker-controlled server when the user clicks a seemingly innocuous button. Fortunately, Microsoft has confirmed they patched this specific issue, though they declined to say exactly what the fix entailed. The researcher who found it, Adam Logue, didn't receive a bug bounty because M365 Copilot wasn't in scope for the program. This highlights how security programs need to evolve to keep pace with these new AI capabilities.

The takeaway here, folks, is that the integration between user input, AI agents, and trusted application permissions creates a systemic challenge. We need better boundaries and strict URL validation in these new AI browser interfaces.

Moving on to a story that generated huge disappointment and speculation in the ethical hacking community: the $1 million WhatsApp exploit flop at Pwn2Own Ireland 2025.

A researcher known as Eugene (3ugen3) from Team Z3 was scheduled to attempt a public demonstration of a zero-click remote code execution exploit against WhatsApp. The bounty on the table was $1 million.

However, the public demonstration never happened. Initially, Trend Micro’s Zero Day Initiative, or ZDI, cited "travel complications". Later, they announced the researcher had withdrawn, citing concerns that the exploit wasn't sufficiently prepared for a public demonstration.

This sparked wide-ranging speculation in the security industry regarding the exploit’s technical viability.

Here’s the scoop: Eugene agreed to privately disclose his findings to ZDI analysts before handing them over to Meta engineers. Eugene confirmed to SecurityWeek that he chose to keep everything private, in part to protect his identity. But the real kicker came from Meta. WhatsApp told SecurityWeek that they are reviewing only two vulnerabilities rated as ‘low risk,’ and that none of them could be used for arbitrary code execution. WhatsApp was openly disappointed, stating that Team Z3 withdrew "because they didn’t have a viable exploit". So, the million-dollar exploit appears to have been a bust, revealing only low-impact bugs instead.

Switching gears, let's look at exploitation by nation-state actors. Kaspersky recently reported that the exploitation of the first Chrome zero-day of 2025 (tracked as CVE-2025-2783) is linked to tools used in attacks involving spyware developed by Hacking Team.

This sophisticated cyberespionage campaign, dubbed Operation ForumTroll, targeted various organizations in Russia, including those in education, finance, and government. The attackers used phishing emails disguised as forum invitations to deliver personalized links that contained the exploit. The exploit code was designed to perform a sandbox escape, execute shellcode, and install a malware loader.

The final payload was LeetAgent, a piece of spyware capable of logging keystrokes and stealing files, communicating commands over HTTPS. This spyware has been used since at least 2022. Notably, LeetAgent has, in some cases, been used to deploy a more sophisticated spyware family called Dante, developed by Memento Labs, which is the rebranded successor to Hacking Team. While the threat actor behind ForumTroll wasn't observed using Dante in this specific campaign, Kaspersky found similar code and toolsets shared by the exploit, loader, and Dante, suggesting a clear connection to that infrastructure.

Time now for our warning segment, focusing on vulnerabilities currently being exploited in the wild.

First up: Microsoft Windows Server Update Service, or WSUS. Microsoft recently released out-of-band updates to patch a critical vulnerability, CVE-2025-59287, which impacts several Windows Server versions (2012, 2016, 2019, 2022, and 2025). This flaw is severe: a remote, unauthenticated attacker can exploit it to execute arbitrary code with System privileges. A proof-of-concept exploit was published quickly, and exploitation in the wild was observed just hours after Microsoft released the updates. Security firms have warned that roughly 2,500 WSUS instances worldwide remain exposed. If you have WSUS running—remember, it's not enabled by default—you must patch immediately, or disable the WSUS Server Role as a temporary mitigation.

And speaking of patching, hackers are also actively exploiting year-old vulnerabilities in popular WordPress plugins. Defiant recently observed mass exploitation attempts against critical flaws in the GutenKit and Hunk Companion plugins, blocking about 9 million exploit attempts over a two-week period. These vulnerabilities, like CVE-2024-9234, allow unauthenticated attackers to upload arbitrary files or install and activate malicious plugins, often leading to remote code execution. The threat actors are distributing malicious ZIP files posing as plugins that contain backdoors for persistence and administrative auto-login scripts. Despite these flaws being patched over a year ago, they remain attractive targets because many site administrators haven't updated.

We also have a quick note on another critical mitigation: Microsoft is disabling file previews in Windows’s File Explorer for files downloaded from the internet. This change, part of the October 2025 Patch Tuesday updates, is designed to block NTLM hash leaks. The issue arose because files marked with the Mark of the Web could contain HTML tags referencing external paths, allowing attackers to capture sensitive credentials when the file was simply previewed. This is part of an ongoing cat-and-mouse game to fix zero-click vulnerabilities that trigger SMB authentication requests and leak hashes.

Finally, let’s talk about money. There’s some positive news regarding ransomware payments, which dropped significantly in the third quarter of 2025. The average ransom payment was about $377,000—a 66% decrease from the previous quarter. This decline is largely attributed to two factors: large enterprises increasingly refusing to pay ransoms, having realized that paying to suppress stolen data has minimal utility, and mid-market organizations, which are more likely to pay, agreeing to smaller amounts. Ransomware groups like Akira and Qilin are capitalizing on mid-market firms with a "high-volume, low-demand strategy".

Meanwhile, in the world of financial fraud, the Smishing Triad, a China-linked group, has been attributed to using more than 194,000 malicious domains since the start of 2024 in a massive global phishing operation. They flood mobile devices with fraudulent texts impersonating package misdelivery or toll violation notices to steal sensitive information. This decentralized operation uses a (Phishing-as-a-Service) ecosystem and relies on the rapid churn of domains—nearly 71% of their domains are active for less than a week—to evade detection.

The landscape continues to evolve rapidly. From the AI front, we’re entering an era where AI democratization means everyone needs protection from increasingly sophisticated attacks. Trust and governance in the age of AI must be carefully balanced with innovation to ensure fairness and public trust. This calls for security posture management for AI to protect against risks like jailbreaking and excessive agency.

And for CISOs, remember the basics still apply: patch those critical vulnerabilities like the WSUS flaw immediately, update your WordPress components, even if the flaw is old, and continue to educate users on highly targeted smishing and phishing threats. The drop in ransomware payments proves that resilience and refusal to pay can shift the economics away from the attackers.

That’s all the time we have for this week's edition of Cyber Scoops & Digital Shenanigans. Thanks for tuning in. Remember to stay vigilant, stay secure, and we’ll catch you next time for more scoops and shenanigans.