Papers
Topics
Authors
Recent
Search
2000 character limit reached

Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting

Published 8 Jul 2026 in cs.CR | (2607.07433v1)

Abstract: The growing adoption of agentic LLM applications has introduced a new threat previously named as promptware. While prior work has established that adversaries can exploit direct channels to LLM applications to apply promptware under weak threat models, many applications do not provide any direct channels that could be exploited for prompt injection beyond the Internet. This raises a question: can attackers exploit LLM applications at scale without any direct channels in practical threat models? In this work, we show that the inherent tendency of LLMs to hallucinate resource identifiers can be exploited to amplify untargeted promptware attacks that pull adversarial prompts at scale and could be exploited to establish a botnet. We introduce adversarial hallucination squatting, a technique in which attackers identify trending resources (e.g., popular repositories, popular skills, etc.), compute the LLM distribution of hallucinations on the trending resource names, and preemptively register them to host adversarial prompts. By leveraging the predictability and transferability of hallucinations across foundational LLMs and to application layers, adversaries can significantly amplify the reach of untargeted promptware under weak threat models and establish a botnet by exploiting LLM applications to install a bot on the device that pulled the compromised hallucinated resource from the Inter. We empirically demonstrate that hallucinated resource generation occurs at high rates, up to 85% in repository cloning scenarios and up to 100% in skill installation, and that these hallucinations transfer between foundational models and different prompts. We demonstrate the practicality of adversarial hallucination squatting against various production LLM applications with integrated terminals in their set of tools, achieving remote tool execution and remote code execution.

Summary

  • The paper presents a novel method termed 'adversarial HalluSquatting' that exploits predictable LLM hallucinations to trigger untargeted promptware attacks.
  • The methodology combines trend monitoring, hallucination probing, and proactive registration, achieving up to 100% attack success in controlled experiments.
  • Empirical evaluations on coding assistants and personal agents highlight scalable risks including botnet formation and significant supply chain vulnerabilities.

Scalable Untargeted Promptware via Adversarial HalluSquatting in Agentic LLM Applications

Introduction and Threat Model

This paper presents a systematic analysis of scalable, untargeted promptware attacks targeting agentic LLM-powered applications. The study introduces a novel attack vector, Adversarial HalluSquatting, exploiting the propensity of LLMs to hallucinate resource identifiers (e.g., repository names, skill slugs) under specific prompt contexts. In contrast to previously documented prompt injection attacks—which primarily require direct or indirect, but still targeted, access to input channels—this technique leverages the predictability and transferability of LLM hallucinations to enable adversaries to compromise a large number of installations with minimal attacker effort.

The threat model assumes a weak adversary who cannot directly inject prompts into victim applications but can register resources (on platforms such as GitHub or ClawHub) corresponding to likely hallucinations produced by widely-deployed LLMs. Upon user queries such as "clone librepods" or "install skill vetter," LLM-backed agents may hallucinate a resource identifier and inadvertently fetch attacker-registered content, leading to promptware execution and potential system compromise. Figure 1

Figure 1: Threat model illustrating the untargeted promptware attack path, from resource trend monitoring through hallucination-triggered retrieval and execution.

HalluSquatting Attack Mechanics

The attack is characterized by several key steps:

  1. Trend Monitoring & Distribution Estimation: The attacker identifies trending or high-traffic resources that are likely to be queried by users.
  2. Hallucination Probing: By simulating likely prompts against target LLMs (or observing historical outputs), the attacker empirically estimates the probability distribution of hallucinated resource identifiers for these prompts.
  3. Proactive Registration: The attacker registers high-probability hallucinated resources, embedding adversarial promptware (e.g., instructions to install bots, exfiltrate data, or execute shell commands).
  4. Passive Compromise: End users prompt their agentic LLM applications to fetch a given resource. Due to model hallucination, a significant fraction of these requests resolve to attacker-controlled identifiers, triggering the pull and execution of adversarial content.

Notably, this attack paradigm is inherently scalable (single resource registration can compromise numerous instances) and untargeted (no victim-specific prompting or phishing is required). The attack is also highly generalizable across both LLM model families and application layers.

Empirical Evaluation: Coding Assistants

Repository Hallucination Dynamics

Extensive experiments were conducted across six state-of-the-art LLMs and multiple production agentic coding assistants. Results demonstrate that, for recently-trending repositories absent from model training sets, the hallucination rate (i.e., failure to resolve the correct resource owner) is 92.4%. For some models and repositories, 100% hallucination is observed. Systematic patterns were observed: hallucinated slugs frequently take forms such as <repository>/<repository> (self-referential), random GitHub owners, or generic placeholders. A significant subset of hallucinated slugs are directly registrable as new resources by any attacker.

The high hallucination rate is sharply contrasted by a 0.9% mean rate for long-established repositories, confirming that the phenomenon is driven by the absence of up-to-date entities in the LLM training corpus.

Attack Success in Production Assistants

Evaluation across Cursor, Gemini CLI, Windsurf, Copilot, and Cline revealed:

  • Repository squatting attacks succeed in 20%–65% of tested cases.
  • Payload execution—ranging from agent tool invocation to full remote code execution (RCE)—shows substantial success, with executions observed in up to 65% (Windsurf) and consistently high rates for several agents.
  • Even basic, non-obfuscated payloads targeting standard execution flows (e.g., README instructions to run a "setup" script) were properly executed without resistance by assistants.

Crucially, hallucinated resource patterns and successful attacks were found to be transferable across both model backbones and application implementations, confirming the attack's universality.

Empirical Evaluation: LLM Personal Assistants

The attack generalizes from code repositories to "skill" installation in agentic assistants, specifically targeting the ClawHub skill marketplace. Two primary vulnerability classes within skill resolution were identified:

  • V1: Word Removal: Agents systematically ignore boilerplate tokens (e.g., "skill"), leading to resolution of ambiguous or attacker-registered slugs.
  • V2: Display-Name/Slug Divergence: When skills' human-readable names and internal slugs diverge—and especially when documentation is non-English—the assistant's resolver often fails to map user queries onto the correct skill, defaulting instead to hallucinated slugs.

Experiments demonstrate near-universal vulnerability across both classes:

  • For V1 (word removal), a single squattable slug intercepted 95% of install attempts (e.g., “vetter” for “skill-vetter”) across four LLM backbones.
  • Across both V1 and V2, 90.7% of installation attempts resolved to squattable slugs; the success rate reached 100% for numerous skills and assistant combinations.
  • Attacks were validated on OpenClaw, ZeroClaw, and NanoClaw with payload execution rates nearing 100% for exfiltration and 88%+ for RCE.

Mitigations and Discussion

Several defense strategies were outlined and empirically assessed:

  • Mandated Search Tool Interposition: Forcing LLM applications to resolve resource fetching via search tools (rather than by direct next-token prediction) substantially reduced hallucination rates. For instance, requiring search before cloning lowered incorrect resolution from nearly 100% to below 10% in some models.
  • Platform-Level Constraints: Enforcing stricter naming, preventing duplicate slugs, or proactively "pre-squatting" likely hallucinated identifiers can blunt attack feasibility.
  • Prompt Framing and Planner Modification: Integrating example-driven planning and explicit verification steps into agentic workflows can reduce hallucination-induced fetches; but prompt phrasing remains a non-trivial variable, as no prompt style was found universally safe.

Notably, platform providers variably dismissed the identified threat as outside their operational scope, highlighting an accountability gap between LLM application developers and underlying infrastructure providers. This, combined with high deployment rates of agentic LLMs and the trend toward greater agentic autonomy, presents a nontrivial long-term risk surface.

Implications and Future Directions

The universal, transferable nature of adversarial HalluSquatting exposes a foundational security risk in agentic LLM ecosystems, particularly as these systems become further integrated into developer and consumer workflows and gain expanded action capabilities (e.g., filesystem, terminal access).

Key implications include:

  • Emergent Botnet Risk: The paper demonstrates attack feasibility sufficient to assemble agent-driven botnets via adversarial promptware installation, comparable in impact to prior generations of worms and supply-chain attacks.
  • Supply Chain and Marketplace Security: Security is not bounded by traditional user input validation, but now fundamentally dependent on agentic model behavior and platform-level identifier management.
  • Generalization to Other Modalities: Although experiments focused on repositories and skill slugs, any agentic LLM application that fetches resources by identifier (e.g., package managers, container registries, web APIs) is a potential attack vector.
  • Limitations of Human-in-the-Loop: Reliance on user vigilance is insufficient, as agentic autonomy and prompt-driven workflows routinely bypass explicit user review.

Future mitigation strategies—such as context-aware resource resolution, universal hallucination-aware identifier gating, and model-level anti-promptware defenses—will likely require deep co-design across application, platform, and model layers. The persistent and subtle nature of hallucination-induced vulnerabilities elevates promptware defense to a central concern for LLM-based system security.

Conclusion

This work rigorously demonstrates that adversarial HalluSquatting constitutes a universal and scalable promptware attack, enabled by predictable LLM hallucinations and weak resource registration constraints. The attack exhibits high transferability across LLMs, applications, and prompt styles, permitting untargeted compromise at scale—up to and including botnet formation. Effective mitigation will necessitate systematic changes to both agentic application architecture and resource platform registration policies, as well as further investigation into hallucination-resilient LLM design and tool usage patterns. The findings delineate an urgent agenda for secure deployment of agentic LLM systems and raise foundational challenges at the AI/security interface.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 4 tweets with 18 likes about this paper.