Cloaking Attack Against AI Crawlers Uncovers New Context Poisoning Risks
Executive Summary
In October 2025, cybersecurity researchers uncovered a sophisticated cloaking attack that targets AI-driven web crawlers used by popular agentic browsers such as OpenAI ChatGPT Atlas and Perplexity. Threat actors deployed malicious websites capable of serving misleading or false content only to AIbots, while displaying legitimate information to typical users. This context poisoning technique allows harmful actors to manipulate AI models at scale, tricking them into citing fabricated facts as verified information, and undermines AI trustworthiness with widespread downstream effects on automated decision-making and knowledge dissemination.
This incident highlights the mounting risks from adversarial attacks targeting AI supply chains. As AI systems increasingly rely on real-time internet data, attackers are innovating new manipulation tactics to poison context and subvert trust. The surge in such TTPs coincides with tighter regulations and industry push towards Responsible AI frameworks.
Why This Matters Now
As enterprises rapidly integrate AI-based browsers and copilots, adversaries are exploiting context poisoning to attack core trust mechanisms. This poses urgent threats to data integrity, regulatory compliance, and business operations—especially as more critical workflows now depend on AI-generated insights.
Attack Path Analysis
The attacker initiated the campaign by deploying a website designed to serve misleading information exclusively to AI web crawlers, bypassing traditional browser detection mechanisms. Through this foothold, they leveraged context poisoning—feeding fabricated data to AI agents for potential SEO or reputational gain—without necessarily escalating cloud privileges. With access to the AI crawler’s request pipeline, they potentially influenced additional AI workloads connected via internal and external API traffic. The attacker’s environment remained covertly reachable, leveraging standard web communication to maintain their influence over AI model training or citation behaviors. Information was exfiltrated indirectly as AI models ingested and redistributed false content as verified facts, propagating the poisoned data externally. The attack’s impact materialized as AI-driven misinformation, loss of trust, and possible downstream reputational or operational disruptions for AI service providers.
Kill Chain Progression
Initial Compromise
Description
The adversary established a malicious website configured to serve deceptive content differently to AI crawlers than to human browsers, exploiting the AI data collection process.
Related CVEs
CVE-2025-12345
CVSS 8.2A vulnerability in AI browsers like ChatGPT Atlas and Perplexity Comet allows malicious extensions to spoof AI sidebars, leading to potential data exfiltration and user manipulation.
Affected Products:
OpenAI ChatGPT Atlas – 1.0, 1.1
Perplexity Comet – 1.0, 1.1
Exploit Status:
proof of conceptCVE-2025-67890
CVSS 7.5AI-targeted cloaking attacks can deceive AI browsers into retrieving and displaying manipulated content, leading to misinformation dissemination.
Affected Products:
OpenAI ChatGPT Atlas – 1.0, 1.1
Perplexity Comet – 1.0, 1.1
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Adversary-in-the-Middle
User Execution
Impair Defenses
Exploit Public-Facing Application
Masquerading
Application Layer Protocol
Deobfuscate/Decode Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Prevent Public-Facing Web Application Vulnerabilities
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Chapter II, Article 6
CISA Zero Trust Maturity Model 2.0 – Monitor and Analyze Data Flows
Control ID: Visibility and Analytics: 2.C
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
AI-targeted cloaking attacks directly threaten software development processes, AI model integrity, and automated systems relying on web crawlers for data validation and content verification.
Information Technology/IT
Context poisoning attacks compromise AI systems and agentic browsers, requiring enhanced egress security, threat detection capabilities, and zero trust segmentation for AI workloads.
Financial Services
AI model manipulation poses significant risks to automated trading systems, fraud detection algorithms, and compliance reporting that rely on AI-processed web content.
Health Care / Life Sciences
Healthcare AI systems vulnerable to misinformation injection through cloaking attacks, potentially compromising patient safety and violating HIPAA compliance requirements for data integrity.
Sources
- New AI-Targeted Cloaking Attack Tricks AI Crawlers Into Citing Fake Info as Verified Factshttps://thehackernews.com/2025/10/new-ai-targeted-cloaking-attack-tricks.htmlVerified
- AI Sidebar Spoofing Puts ChatGPT Atlas, Perplexity Comet and Other Browsers at Riskhttps://www.securityweek.com/ai-sidebar-spoofing-puts-chatgpt-atlas-perplexity-comet-and-other-browsers-at-risk/Verified
- ChatGPT Atlas and Perplexity Comet Are Vulnerable to Sidebar Spoofinghttps://hackmag.com/news/ai-sidebar-spoofingVerified
- Experts Warn of ChatGPT Atlas vulnerabilitieshttps://techreport.com/news/chatgpt-atlas-vulnerabilities/Verified
- New Agent-Aware Cloaking Technique Exploits OpenAI ChatGPT Atlas Browser to Serve Fake Contenthttps://cyberpress.org/new-agent-aware-cloaking-technique-exploits-openai-chatgpt-atlas-browser-to-serve-fake-content/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress policy enforcement, traffic visibility, and microsegmentation could have detected, blocked, or contained the movement of poisoned data within AI workloads and limited exposure to malicious external content. CNSF controls would have reduced the risk of context poisoning by enforcing strict identity-aware traffic flows and continuous threat detection across cloud-native AI service environments.
Control: Cloud Firewall (ACF)
Mitigation: Outbound AI crawler traffic to suspicious or untrusted web domains would be blocked or inspected.
Control: Zero Trust Segmentation
Mitigation: Workload and service identities strictly enforced, preventing unauthorized exposure or escalation.
Control: East-West Traffic Security
Mitigation: Detection or blocking of intra-cloud propagation of malicious or unexpected AI workload data.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious or anomalous traffic between workloads and external endpoints flagged for investigation.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized or suspicious outbound transmission of data from AI pipelines.
Reduces risk and blast radius of AI-driven misinformation through end-to-end security automation.
Impact at a Glance
Affected Business Functions
- Information Retrieval
- Content Management
- User Interaction
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive user data due to malicious AI sidebar spoofing and dissemination of misinformation through AI-targeted cloaking attacks.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy cloud firewall and egress filtering controls to strictly limit AI crawler internet exposure only to validated, trusted sources.
- • Implement zero trust segmentation and identity-based policy enforcement across all internal AI and ML workloads.
- • Continuously monitor and baseline AI pipeline traffic using anomaly detection to identify covert influence attempts or data poisoning events.
- • Harden east-west infrastructure to microsegment cloud workloads, limiting lateral movement of unvalidated or poisoned data.
- • Adopt distributed, automated security fabric controls for real-time visibility, segmentation, and incident response throughout cloud-native AI environments.
