Promptware Kill Chain is a new five‑step model that explains how attacks against AI systems powered by large language models (LLMs) behave more like full malware campaigns than one‑off “prompt injection” tricks.

It treats malicious prompts and poisoned content as a distinct type of malware, called promptware, and maps how these attacks move from initial access to full system compromise and data theft.

What Is Promptware and Why Does It Matter

Promptware is defined as any input text, image, audio, or other content fed into an LLM application with the goal of abusing its permissions to trigger malicious activity.

Instead of shellcode or binaries, the “payload” is natural language or multimodal content that the model interprets as instructions.

The authors argue that grouping everything under “prompt injection” hides the fact that modern attacks are multi‑stage operations similar to traditional malware such as worms or ransomware campaigns.

Their model adapts the classic cyber kill chain to AI by introducing five distinct phases: Initial Access, Privilege Escalation, Persistence, Lateral Movement, and Actions on Objective.

The Five Steps Of The Promptware Kill Chain

The kill chain starts with Initial Access, where malicious instructions enter the LLM’s context window through direct or indirect prompt injection.

• Direct attacks come from a user typing crafted input.

• Indirect attacks hide prompts in external content such as web pages, emails, calendar invites, or documents fetched by retrieval‑augmented generation (RAG) systems.

Multimodal models expand this step further, allowing hidden prompts in images or audio to bypass text‑only filters.

Privilege Escalation happens through jailbreaking, where attackers bypass safety training and alignment to make the model perform actions it should refuse. Techniques include “ignore previous instructions” overrides, persona‑based prompts such as “Do Anything Now” (DAN), role‑playing, obfuscated encodings (ASCII art, Unicode tricks), and universal adversarial suffixes that jailbreak multiple vendors’ models at once. This step is comparable to gaining higher privileges on a compromised operating system, but here the “privilege” is the model’s willingness to use powerful tools or reveal restricted information.

Persistence, Lateral Movement, and Final Impact

Persistence focuses on keeping the malicious influence alive beyond a single chat session by abusing stateful components such as RAG databases and long‑term memory features.

• Retrieval‑dependent persistence – e.g., the Morris II AI worm and MemoryGraft, where poisoned content sits in email or knowledge bases and reactivates when retrieved as relevant context.

• Retrieval‑independent persistence – demonstrated against ChatGPT’s memory feature and in SpAIware, where the payload is stored in the assistant’s memory and silently injected into every future conversation, even enabling remote command‑and‑control over time.

Lateral Movement describes how promptware spreads across users, systems, and services once an AI assistant is compromised.

• Self‑replicating worms like “Here Comes the AI Worm” force assistants to copy malicious prompts into outgoing emails, infecting every recipient who uses a similar AI assistant.

• Permission‑based movement abuses highly privileged assistants (e.g., Google Gemini‑powered Android Assistant) to control smart‑home devices, launch Zoom calls, or exfiltrate browser data.

• Pipeline‑based movement (e.g., AgentFlayer attacks on Cursor) rides normal workflows from customer tickets into developer tools to steal secrets.

Actions on Objective is the final phase where attackers achieve concrete outcomes, ranging from data exfiltration and phishing to physical and financial damage or remote code execution. Case studies include:

• Assistants leaking sensitive emails.

• Controlling IoT devices to open windows or activate cameras.

• Tricking commercial chatbots into unfavorable deals.

• Draining cryptocurrency trading agents such as AiXBT.

• Exploiting AI‑integrated IDEs’ shell tools (Agentic ProbLLMs) for full remote code execution.

The severity of this last step depends on the tools integrated into the AI system, its permission scope, and how autonomously it can act without human review.