Promptware Kill Chain
Attacks against modern artificial intelligence (AI) models of large languages (LLMs) pose a real threat. However, discussions about these attacks and their possible defenses are very dangerous. The leading narrative focuses on “rapid injection,” a set of techniques for embedding instructions into an LLM input that is intended to perform a malicious function. This word suggests a simple, singular vulnerability. This framing obscures a more complex and dangerous reality. Attacks on LLM-based programs have evolved into a different class of malware, which we call “promptware.” In a new paper, we, the authors, propose a systematic seven-step “promptware kill chain” to provide policymakers and security practitioners with the necessary vocabulary and framework to address the growing AI threat landscape.
In our model, the promptware execution chain starts with it Early Access. This is where the brute force comes into play in the AI system. This can happen directly, when an attacker types malicious information into the LLM application, or, more subtly, with “indirect rapid injection.” In an indirect attack, the adversary embeds malicious instructions in the content that the LLM detects (which it detects during prediction), such as a web page, email, or shared document. As LLMs become multimodal (capable of processing various types of input other than text), this vector grows even further; Malicious commands can now be hidden inside an image or audio file, waiting to be processed by the vision language model.
The main problem lies in the design of LLMs themselves. Unlike traditional computer systems that strictly separate executable code from user data, LLMs process all input—whether a system command, a user email, or a returned document—as a single, unsegmented sequence of tokens. There is no architectural boundary to enforce the distinction between trusted instructions and untrusted data. As a result, a command embedded in a seemingly harmless document is processed with the same authority as a system command.
But only a quick injection Early Access penetrate the complex, multi-stage operations that characterize common malware campaigns such as Stuxnet or NotPetya.
Once the malicious instructions are inside the key input to the AI’s learning, the attack switches to Increase in Privilegewhich is often called “jailbreaking.” At this stage, the attacker bypasses the security training and policy guidelines that vendors such as OpenAI or Google have built into their models. By using techniques such as social engineering—convincing the model to accept a personality that ignores the rules—to complex objectionable attachments to information or data, promptware tricks the model into taking actions it would normally reject. This is similar to an attacker ascending from a user account to administrator privileges in a typical Internet attack; unlocks the full potential of the underlying model for brutal use.
Following the rise of the right comes Awareness. Here, the attack tricks the LLM into revealing information about its assets, connected services, and capabilities. This allows the attack to automatically progress down the kill chain without alerting the victim. Unlike reprocessing in classic malware, which is typically done before initial access, promptware reprocessing occurs after the initial access and jailbreaking components have been successful. Its effectiveness depends entirely on the victim’s ability to think about its context, and indirectly turn that thinking to the attacker’s advantage.
Fourth: i Persistence category. Temporary attacks that disappear after one interaction with the LLM program are a nuisance; persistent disrupts the LLM application positively. In various ways, promptware embeds itself in the long-term memory of an AI agent or poisons the database the agent relies on. For example, a worm can infect a user’s email archive so that every time the AI digests past emails, the malicious code is run again.
I Command-and-Control (C2) The stage relies on default persistence and dynamic fetching of instructions by the LLM application during inference. Although it is not strictly necessary to continue the execution chain, this phase enables the promptware to evolve from a static threat with fixed goals and program determined during injection to a controllable trojan whose behavior can be changed by the attacker.
The sixth section, Lateral Movementthis is where the attack spreads from the victim to other users, devices, or systems. In the race to give AI agents access to our emails, calendars, and business forums, we are creating highways for malware to spread. In a “replicating” attack, an infected email host is tricked into transmitting a malicious payload to all contacts, spreading the infection like a computer virus. In some cases, the attack may range from a calendar invitation to controlling smart home devices or extracting data from a connected web browser. The connection that makes these agents useful is precisely what makes them vulnerable to failure.
Finally, the chain of murder ends Actions with Purpose. The goal of promptware isn’t just to make the chatbot say something offensive; it often achieves brutal consequences visible through data leaks, financial fraud, or global impact. There are examples of AI agents being tricked into selling cars for one dollar or transferring cryptocurrency to an attacker’s wallet. More alarmingly, agents with strong coding capabilities can be tricked into executing arbitrary code, giving an attacker complete control over the underlying AI system. The result of this category determines the type of malware used by the promptware, including infostealer, spyware, and cryptostealer, among others.
The chain of murder had been revealed. For example, in the study “An Invitation Is All You Need,” attackers gained initial access by embedding malicious information in the subject of a Google Calendar invitation. The command then used an advanced technique known as the request tool delay to force the LLM to execute the injected instructions. Because this message was embedded in a Google Calendar artifact, it persisted in the long-term memory of the user’s workspace. The background movement happened when the prompt instructed Google Assistant to launch the Zoom app, and the ultimate goal involved live streaming a private video of an unsuspecting user who was simply inquiring about their upcoming meetings. C2 and recognition were not shown in this attack.
Similarly, the “Here Comes the AI Worm” study showed another realization of the end of the killing chain. In this case, initial access was achieved through information included in an email sent by the victim. The exploit used a simulation technique to force the LLM to follow the attacker’s instructions. As this message is embedded in the email, it also persists in the long-term memory of the user’s workstation. The injected information instructed the LLM to replicate itself and extract sensitive user data, resulting in a combined movement outside the device when the email assistant was later asked to compose new emails. These emails, which contain sensitive information, are then forwarded by the user to additional recipients, resulting in the infection of new customers and sublinear propagation of the attack. C2 and recognition were not shown in this attack.
The promptware kill chain gives us a framework for understanding this and similar attacks; the paper shows a number of them. Fast injection is not something we can fix in current LLM technology. Instead, we need a deep defense strategy that assumes that the first access will happen and focuses on breaking the chain at the next steps, including by limiting the escalation of privileges, preventing re-detection, preventing persistence, disrupting C2, and limiting the actions the agent is allowed to perform. By understanding promptware as a complex, multi-stage malware campaign, we can move from proactive detection to systematic risk management, protecting the critical systems we are eager to build.
This article was co-authored with Oleg Brodt, Elad Feldman and Ben Nassi, and appeared first in Lawfare.
Posted February 16, 2026 at 7:04 AM • 0 Comments
