Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting
Search this site
Embedded Files
Skip to main content
Skip to navigation
Beware of Agentic Botnets:<br>Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting
Involved Researchers:
Aya Spira, Tel Aviv University<br>Stav Cohen, Technion<br>Elad Feldman, Tel Aviv University<br>Ron Bitton, Intuit<br>Avishai Wool, Tel Aviv University<br>Ben Nassi, Tel Aviv University
Download Paper
Ethical Considerations<br>We acknowledge the dual-use nature of our study. On one hand, it raises awareness of an emerging threat and enables developers to strengthen applications' underlying LLMs and host frameworks against it. On the other hand, the techniques we describe could potentially be misused by malicious actors to facilitate the creation of agentic botnets. We believe that conducting and publishing this research is essential to provide the scientific community and practitioners with a rigorous characterization of this emerging threat.<br>Accordingly, we responsibly disclosed our findings to the affected application vendors, foundation model providers, and relevant host framework maintainers before publication.
We also redacted implementation details that could be directly replicated by attackers to facilitate exploitation.
Furthermore, we adopted several technical safeguards throughout the study to minimize the risk of unintended misuse during our experiments.
In light of these precautions, we conclude that the benefits of enabling the broader community to understand, anticipate, and mitigate the risks posed by agentic botnets outweigh the potential risks associated with publishing these findings.
TLDR<br>We show that attackers can exploit predictable LLM hallucinations of resource identifiers to launch scalable, untargeted prompt injection attacks without requiring any direct channel to LLM applications. By preemptively registering hallucinated resources—a technique we call adversarial hallucination squatting (HalluSquatting)—we demonstrate remote tool execution and remote code execution at scale across a range of popular agentic LLM applications, which could be exploited to the establishment of a botnet.
Abstract<br>The growing adoption of agentic LLM applications has introduced a new threat previously named as promptware. While prior work has established that adversaries can exploit direct channels to LLM applications to apply promptware under weak threat models (e.g., by sending emails or calendar invitations to a target), many applications do not provide any direct channels that could be exploited for prompt injection beyond the Internet. This raises a fundamental question: can attackers exploit LLM applications at scale without any direct channels in practical threat models?<br>In this work, we show that the inherent tendency of LLMs to hallucinate resource identifiers can be exploited to enable scalable, untargeted attacks that could be exploited to establish a botnet. We introduce adversarial hallucination squatting, a technique in which attackers identify trending resources (e.g., popular repositories, popular skills, etc.), compute the LLM distribution of hallucinations on the trending resource names, and preemptively register them to host adversarial prompts (e.g., instructing an LLM to install a bot or running a script that installs a bot). By leveraging the predictability and transferability of hallucinations across foundational LLMs and to application layers, adversaries can significantly amplify the reach of untargeted promptware under weak threat models and establish a botnet by exploiting LLM applications to install a bot on the device that "pulled" the compromised hallucinated resource from the Inter. We empirically demonstrate that hallucinated resource generation occurs at high rates—up to 85% in repository cloning scenarios and up to 100% in skill installation—and that these hallucinations transfer between foundational models and different prompts. We demonstrate the practicality of adversarial hallucination squatting against various LLM applications with integrated terminals in their set of tools, including AI coding assistants (Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline), CLIs (Gemini CLI), and assistants (OpenClaw, ZeroClaw, and NanoClaw), achieving remote tool execution and remote code execution (RCE). We conclude by discussing mitigation strategies and the similarities to typosquatting
Threat Model
Attack Steps.<br>(0) Preparation. The attacker identifies popular resources by tracking Internet trends (e.g., repositories, skills, etc). The attacker then probes an oracle—such as the target application or a foundational LLM—using prompts intended to elicit resource hallucinations (e.g., “clone repository,” “generate a shell command to clone a repository,” “install a skill”). The attacker calculates a distribution over returned resources (from the...