Ethical Considerations
We acknowledge the dual-use nature of our study. On one hand, it raises awareness of an emerging threat and enables developers to strengthen applications' underlying LLMs and marketplaces against it. On the other hand, the techniques we describe could potentially be misused by malicious actors.
We believe that conducting and publishing this research is essential to provide the scientific community and practitioners with a rigorous characterization of this emerging threat.
Accordingly, we responsibly disclosed our findings to the affected application vendors, foundation model providers, and relevant marketplace maintainers before publication.
We also redacted implementation details that could be directly replicated by attackers to facilitate exploitation.
Furthermore, we adopted several technical safeguards throughout the study to minimize the risk of unintended misuse during our experiments.
In light of these precautions (which we discuss in detail in the paper), we conclude that the benefits of enabling the broader community to understand, anticipate, and mitigate the risks posed by agentic botnets outweigh the potential risks associated with publishing these findings.
TLDR
We show that attackers can exploit predictable LLM hallucinations of resource identifiers to launch scalable, untargeted prompt injection attacks without requiring any direct channel to LLM applications. By preemptively registering hallucinated resources—a technique we call adversarial hallucination squatting (HalluSquatting)—we demonstrate remote tool execution and remote code execution at scale across a range of popular agentic LLM applications, which could be exploited to the establishment of a botnet.
Abstract
The growing adoption of agentic LLM applications has introduced a new threat previously named as promptware. While prior work has established that adversaries can exploit direct channels to LLM applications to apply promptware under weak threat models (e.g., by sending emails or calendar invitations to a target), many applications do not provide any direct channels that could be exploited for prompt injection beyond the Internet. This raises a fundamental question: can attackers exploit LLM applications at scale without any direct channels in practical threat models?
In this work, we show that the inherent tendency of LLMs to hallucinate resource identifiers can be exploited to enable scalable, untargeted attacks that could be exploited to establish a botnet. We introduce adversarial hallucination squatting, a technique in which attackers identify trending resources (e.g., popular repositories, popular skills, etc.), compute the LLM distribution of hallucinations on the trending resource names, and preemptively register them to host adversarial prompts (e.g., instructing an LLM to install a bot or running a script that installs a bot). By leveraging the predictability and transferability of hallucinations across foundational LLMs and to application layers, adversaries can significantly amplify the reach of untargeted promptware under weak threat models and establish a botnet by exploiting LLM applications to install a bot on the device that "pulled" the compromised hallucinated resource from the Internet. We empirically demonstrate that hallucinated resource generation occurs at high rates—up to 85% in repository cloning scenarios and up to 100% in skill installation—and that these hallucinations transfer between foundational models and different prompts. We demonstrate the practicality of adversarial hallucination squatting against various LLM applications with integrated terminals in their set of tools, including AI coding assistants (Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline), CLIs (Gemini CLI), and assistants (OpenClaw, ZeroClaw, and NanoClaw), achieving remote tool execution and remote code execution (RCE). We conclude by discussing mitigation strategies and the similarities to typosquatting
Threat Model
Attack Steps.
(0) Preparation. The attacker identifies popular resources by tracking Internet trends (e.g., repositories, skills, etc). The attacker then probes an oracle—such as the target application or a foundational LLM—using prompts intended to elicit resource hallucinations (e.g., “clone repository,” “generate a shell command to clone a repository,” “install a skill”). The attacker calculates a distribution over returned resources (from the outputs) and identifies a universal squatting candidate, a high-probability hallucination candidate that could be registered. The attacker subsequently registers this resource and embeds adversarial prompts within it
(1) Trigger. The user prompts an LLM- based application to perform a task that requires external resource access (e.g., “clone repo name”, “install skill name”).
(2) Planning. The agentic application uses an LLM to plan a sequence of actions or function calls needed to fulfill the user request.
(3) Hallucination. The LLM hallucinates a resource’s identifier and outputs an incorrect reference to the squatted resource from step 0.
(4) Retrieval. The agentic framework retrieves the squatted resource (instead of the original resource).
(5) Context poisoning. The adversarial content poisons the application context and triggers
(6) Tool invocation to perform a promptware attack, causing the application to execute attacker-controlled instructions. This leads to various malicious outcomes (e.g., turning the device into a bot)
FAQ
What is the difference between untargeted pull-based indirect prompt (poisoning a webpage) injections and targeted push-based indirect prompt injection (poisoning emails)?
The main difference is in the likelihood of compromise.
Push-based indirect prompt injections rely on poisoning emails or calendar invitations with adversarial prompts. They are associated with a high likelihood of compromise because emails and calendar invitations are automatically stored in a user's workspace. Therefore, we consider emails and calendar invitations as channels that allow attackers to "push" adversarial prompts in a targeted manner into a user's application with high likelihood of success in response to a relevant user prompt (e.g., what are the recent emails I received?, what are my next meetings?).
Pull-based indirect prompt injections rely on poisoning webpages with adversarial prompts. They are associated with low likelihood of compromise because webpages don't provide a targeted channel to an LLM application (i.e., webpages are an untargeted channel). Therefore, users need to actively "pull" the compromised webpage into their LLM applications. In practice, highly popular webpages that are frequently retrieved by users (e.g., a CNN webpage) are difficult for attackers to compromise, whereas compromising obscure webpages (a personal webpage) typically results in a low retrieval rate.
Why are trending resources (e.g., repositories and skills) an interesting target for attackers?
Trending resources ensure high request volume from users using their LLM applications. Moreover, popular/trending resources tend to be recently uploaded resources, which ensures a high hallucination rate by the LLM because they weren't part of the training set used to train the LLM used by the LLM application.
What do attackers gain by computing the distribution of hallucinations in response to frequently used prompts to obtain the resources?
Attackers can identify candidates with a high probability of retrieval by an LLM application in response to the frequent prompt. For example, they can identify that the instruction to an AI coding assistant, "please clone trending-repo," is translated in practice to the command "git clone fake-repo" with very high likelihood and register (hallusquatt) the fake-repo while including adversarial prompts in it (adversarial hallusquatting).
How does this scale/amplify prompt injection?
The amplification of the botnet (i.e., 1 compromised resource -> n compromised machines) relies on
(1) targeting popular and trending resources (repositories and skills), which ensures high request volume for the original resource for a frequent prompt (e.g., clone repo trending-repo),
(2) identifying the most hallucinated resources an LLM hallucinates (in response to the trending resource), which ensures a high hallucination rate, and
Registering the most popular hallucination in relevant marketplaces, which ensures a high retrieval of the hallucinated resource in response to the frequent prompt.
|high request volume for the original resource| x high hallucination rate =
|high retrieval of the hallucinated resource| =
Amplification of a poisoned resource using a single resource (repository)
How could scalable prompt injections be misused to establish a botnet?
Most applications that retrieve repositories and skills from the Internet contain terminals as one of their integrated tools. Consequently, attackers could exploit an LLM application to install a bot on the device by instructing the LLM to do so or by instructing it to run a script that installs a bot.
Amplifying installations of bots on devices = the establishment of a botnet
What is the significance of the agentic botnet with respect to traditional botnets?
Traditional botnets are hard to establish.
In many cases, their establishment relies on poor security implementation/decision (e.g., using default or weak passwords) or lateral movement capabilities (being a worm) between devices (e.g., the Mirai botnet). In addition, in some cases, their establishment is required to bypass firewalls. Finally, since the code used to establish them is, in many cases, static, the distribution of the affected devices is homogeneous (e.g., the hosts of most of the devices exploited by the Mirai botnet were IP cameras that hosted a vulnerable OS version).
The agentic botnet doesn't rely on default/weak passwords and doesn't require lateral movement. In addition, prompt injections aren't monitored by firewalls, and the bot could potentially be installed on any device independent of the OS (so the distribution of the compromised devices and OS is much more heterogeneous).
What do you mean by Universal and Transferable Adversarial HalluSquatting
The most frequent LLM hallucinations of popular resources are common across foundational LLMs developed by different vendors (i.e., transferable between foundational LLMs). Therefore, attackers can hallusquatt (register) a resource that will be retrieved independently of the identity of the LLM used by the LLM application. In addition, Hallusquatting universally applies to a broad range of LLM applications in production.
Could attackers improve the success rate of the adversarial hallusquatting attack?
Our findings are only a lower bound on what attackers could do.
Attacks always get better; they never get worse.
What is promptware?
Promptware (prompt-malware) is an LLM malware initiated by an adversarial prompt.
Prompt injections have evolved into a new form of malware (prmptware) that hijacks the LLM of an LLM application and exploits it to perform malicious activity.
Treating prompt injections as the LLM equivalent of SQL injection underestimates the severity of the threat (1,2) because, since 2022, prompt injections have evolved in their sophistication and adopted traditional malware properties, including lateral movement between LLM applications (1,2), persistence (1), and C2 (1,2).
Consequently, we consider Promptware a new form of LLM malware that is now structured in a multi-step malware delivery mechanism that could be abused to deliver any kind of malware (e.g., RCE, IoT manipulation, data exfiltration) at its final step, while prompt injections constitute the first step in the kill chain.
We discussed it recently at RWAISec'26 (video) and on a recent BlackHat webinar.
Is your study a form promptware?
Yes and no.
The attack moves between two different kill chains (the promptware kill chain -> traditional malware kill chain).
Adversarial HalluSquatting starts with pulling adversarial prompts into an LLM application and ends with instructing the LLM application to install a bot using RCE.
The beginning of the attack, which involves the injection of an adversarial prompt that hijacks an LLM application and exploits the LLM to perform malicious behaviour (to use the terminal and install a bot), is a form of the Promptware Kill Chain. However, after the bot is installed on a device by the LLM application, the bot will no longer exploit an LLM to perform malicious activity, so the promptware kill chain ends, and the old familiar malware kill chain starts.
What mitigations should be applied?
LLM application-side mitigations. Invoking a search tool substantially reduces hallucination rates. Building on this observation, developers of LLM-based applications can enforce a workflow in which a search tool invocation precedes any fetch operation. Concretely, we suggest augmenting the planner component (e.g., in an AI coding assistant) with few-shot examples that demonstrate correct planning patterns for retrieving resources, such as repositories, in response to user prompts (e.g., “clone a repo” or “generate a shell command to clone a repository”). These examples can bias the planner toward incorporating an explicit search step before attempting retrieval. In addition, proactive mitigations can be implemented to detect and regulate resource-fetching behavior. This can be achieved by (1) analyzing user requests for keywords indicative of retrieval intent (e.g., clone, install, fetch), and (2) inspecting the planner’s generated execution plan for explicit fetch tool invocations, and (3) modifying the implementation of the fetch tool within the agentic framework to enforce a preceding search step before any retrieval is executed. In addition, incorporating mitigations against prompt injections to agentic applications could further secure them in case a squatting attack succeeds.
Platform-side mitigations. Platform\marketplace providers can mitigate hallusquatting by enforcing stricter registration constraints. One approach is to ensure global name uniqueness. This can be achieved by eliminating namespaces (e.g., owner identifiers on platforms such as GitHub), thereby requiring repository names to be globally unique, which would prevent attackers from registering well-known repository names under different owners. Alternatively, platforms can preserve namespaces while still enforcing uniqueness by prohibiting the reuse of existing repository names across different owners. Another complementary approach is to address predicted hallucinated resources using a strategy similar to defenses against typosquatting—namely, preemptive registration of likely hallucinations. This requires identifying potential hallucinated resource names in advance and proactively registering available squatting candidates to redirect to the original resource to prevent their malicious use. Additionally, platforms should incorporate mitigations to identify adversarial prompts in registered content.
Did you upload malicious skills and repositories to GitHub and ClawHub?
Due to ethical considerations, we registered a benign repository on GitHub and published a benign skill on ClawHub rather than deploying malicious payloads. We acknowledge that this approach did not exercise the malware detection mechanisms deployed by GitHub and ClawHub, which may identify and remove malicious content.
However, a recent study has shown that these scanning mechanisms can be readily bypassed using relatively simple techniques (by Trail of Bits), while another recent study has identified 824 malicious skills hosted on ClawHub (by KOI).
These findings suggest that the deployment of malicious resources on these platforms remains feasible in practice.
Takeaways
Prompt injection attacks delivered through the web are often perceived as having a relatively low likelihood of compromise (in contrast to prompt injections over emails or calendar invitations) because they require a user or application to actively retrieve the compromised resource from the Internet.
In practice, highly popular resources are difficult for attackers to compromise, whereas compromising obscure resources typically results in a low retrieval rate. HalluSquatting, the preemptive registration of resources that LLMs are likely to hallucinate when referring to popular resources, fundamentally changes this tradeoff by significantly increasing the likelihood that agentic applications will retrieve attacker-controlled content.
LLM hallucinations of resources are transferable across a wide range of foundational LLMs and universally apply to a broad range of LLM applications in production.
HalluSquatting a popular resource and including adversarial instructions to install a bot on a device amplifies the scalability of prompt injections and could be exploited to establish a botnet.
Talks
Press
Shorts\Reels