Jan 09, 2026 – Viktor Markopoulos – We often trust what we see. In cybersecurity, we are trained to look for suspicious links, strange file extensions, or garbled code. But what if the threat looked exactly like a smiling face sent by a colleague?Based on research by Paul Butler and building on FireTail’s previous disclosures regarding ASCII smuggling, we can now reveal a technique where malicious text is smuggled directly inside an emoji using undeclared Unicode characters.The Bottom Line for CISOsThis research highlights a specific vulnerability in how Large Language Models (LLMs) and security filters interpret visual data versus raw data.The Risk: Malicious prompts can be smuggled past human reviews because the payload is invisible to the human eye.The Blind Spot: Standard audit logs may only record a generic emoji (e.g., a smiley face), leaving security teams unable to explain why an LLM executed a malicious command.The Reality: “What You See Is What You Get” no longer applies to LLM inputs.The Technical MechanicsThe method relies on the complex nature of Unicode. To a human, an emoji is a single image. To a computer, it is a sequence of bytes. This technique exploits “Variation Selectors,” which are special characters normally used to specify exactly how a character should be displayed (like choosing between a black-and-white or colored symbol).It is possible to inject undeclared, invisible characters into this sequence using a shift cipher hidden within these Variation Selectors. This transforms standard, readable Unicode characters into invisible ones. The result is a payload that looks perfectly normal on a screen. A simple moon or smiley face but it contains a hidden string of code waiting to be processed.How We TestedWe set about testing on Gemini which we had previously identified as being susceptible to ASCII smuggling. We relied heavily on this tool for encoding and decoding: https://emoji.paulbutler.org/The AI “Blind Spot”This technique is effective because it exploits a gap in how Large Language Models (LLMs) process text versus how they are trained to understand it. Models like Gemini do not inherently understand these smuggled characters out of the box.When we presented Gemini with a modified smiley face emoji containing the hidden word “hello,” it recognized that unusual Unicode characters were present but could not decipher the message on its own.‍Verifying the DataHowever, the model isn’t blind to the data, just the meaning. We fo
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: