Introduction
Large Language Models have rapidly transitioned from experimental tools to core components of modern enterprise environments. They now power customer support automation, autonomous business agents, internal knowledge systems, and even workflows capable of executing code or handling financial transactions. This operational dependence has introduced a new and largely underestimated attack surface.
Security researchers now warn that threats targeting LLM-based systems are no longer isolated prompt injection tricks. Instead, they represent coordinated, multi-stage attack campaigns that closely resemble traditional malware operations. This emerging class of threats is collectively known as promptware.
Background and Context
The cybersecurity community has historically treated prompt injection as a standalone issue. However, this narrow framing fails to capture the true complexity of modern attacks against AI systems.
Recent research shows that adversaries are chaining multiple techniques together in structured campaigns. These operations progress through stages such as initial compromise, privilege escalation, persistence, lateral movement, and execution of malicious objectives. The parallels with conventional malware kill chains are striking and intentional.
Recognizing this shift is critical. Treating AI attacks as isolated prompt failures leaves organizations blind to the broader lifecycle of compromise unfolding within LLM-driven applications.
The Promptware Kill Chain Explained
Researchers Ben Nassi, Bruce Schneier, and Oleg Brodt have proposed a structured five-step kill chain model to systematically analyze promptware threats. Their framework demonstrates that modern LLM attacks are deliberate, multi-phase operations with identifiable intervention points.
1. Initial Access
Attackers gain entry by injecting malicious instructions into the model’s input stream. This can occur directly through user prompts or indirectly through poisoned external content such as documents, emails, or web data retrieved by the system.
Indirect prompt injection is particularly dangerous in retrieval-augmented generation workflows, where untrusted data is treated as authoritative context by the model.
2. Privilege Escalation
Once access is achieved, attackers attempt to bypass alignment and safety controls. Modern LLMs are trained to refuse harmful actions, but adversaries increasingly rely on advanced jailbreaking techniques.
These include instruction obfuscation, role-playing scenarios, contextual manipulation, and universal adversarial suffixes capable of bypassing safeguards across multiple models simultaneously.
3. Persistence
Persistence is where promptware diverges sharply from traditional prompt injection and becomes a true malware analogue.
Instead of modifying system registries or scheduled tasks, promptware embeds itself into the data stores and memory structures that LLM agents rely on.
- Retrieval-dependent persistence embeds malicious payloads into emails, documents, or knowledge bases that reactivate when similar content is retrieved.
- Retrieval-independent persistence targets the agent’s internal memory, ensuring malicious instructions execute during every interaction regardless of user input.
This persistence enables long-term compromise with minimal visibility.
4. Lateral Movement and Propagation
Promptware can move laterally across interconnected systems by abusing integrations between agents, services, and users.
A notable example is the Morris II worm, which propagated through LLM-powered email assistants. By forcing infected assistants to embed malicious instructions into outgoing messages, the attack achieved self-replication. Each recipient whose assistant processed the content became a new infection point, enabling exponential spread.
5. Command Execution and Impact
In the final phase, attackers execute their objectives. Command-and-control mechanisms allow real-time updates by embedding instructions that retrieve commands from attacker-controlled sources.
Modern promptware campaigns have already demonstrated capabilities such as:
- Large-scale data exfiltration
- Automated phishing through compromised email agents
- Manipulation of smart home and IoT devices
- Unauthorized financial transactions executed by AI-driven workflows
Impact and Scope
What began as theoretical research has rapidly evolved into practical exploitation. Early demonstrations focused on benign outputs or policy violations. Today’s attacks leverage the full kill chain to create systemic organizational risk.
Because LLM agents often operate with broad permissions and trusted integrations, a single compromised agent can become a high-impact pivot point across an enterprise.
Response and Mitigation
Defending against promptware requires a shift in mindset. Security teams must treat LLM-based systems as full-fledged execution environments rather than passive text processors.
Effective mitigation strategies include:
- Applying least-privilege principles to AI agents
- Monitoring memory and retrieval sources for anomalous patterns
- Isolating untrusted external content
- Implementing kill-chain-aware detection and response models
- Red-teaming LLM applications using multi-stage attack simulations
Traditional cybersecurity knowledge, when adapted correctly, provides a strong foundation for addressing these risks.
Outlook
Promptware represents a fundamental evolution in cyber threats. As LLMs gain autonomy and deeper system access, attackers will continue to refine multi-stage campaigns that exploit their unique characteristics.
Organizations that continue to frame AI security as a prompt-filtering problem will remain exposed. Those that adopt a kill-chain perspective will be better positioned to detect, disrupt, and contain the next generation of AI-driven attacks.
References / Source
- Nassi B, Schneier B, Brodt O. The Promptware Kill Chain: How Prompt Injections Gradually Evolved Into a Multi-Step Malware. arXiv, 2026. https://arxiv.org/abs/2601.09625
- Promptware Kill Chain – Five-Step Model Explained, CybersecurityNews.com. https://cybersecuritynews.com/promptware-kill-chain-five-step-kill-chain-model/
- Expert commentary on LinkedIn summarizing kill chain stages. https://www.linkedin.com/posts/wysopal_the-promptware-kill-chain-how-prompt-injections-activity-7417609443850383360-tMDb
- Context on traditional kill chains. https://www.darktrace.com/cyber-ai-glossary/cyber-kill-chain
