Autonomous AI-Driven Worms
- Autonomous AI-driven worms are self-propagating malware systems that use large language models to dynamically generate and transmit malicious payloads.
- They integrate multi-agent LLM frameworks with adaptive infection vectors, enabling context-aware, zero-click, multi-hop propagation across diverse networks.
- The topic highlights challenges to traditional cybersecurity, prompting development of formal defenses, continuous monitoring, and adaptive mitigation strategies.
Autonomous AI-driven worms are self-propagating malware systems in which artificial intelligence—primarily LLMs or GenAI agents—assume autonomous control over the full infection, exploitation, and propagation cycle. Unlike traditional worms, which generally spread through hardcoded vulnerabilities and static payloads, AI-driven worms are characterized by their ability to reason, generate context-specific attack logic, adapt to heterogeneous targets, and persist or escalate across agent-based software, RAG-enhanced applications, or even infrastructure-level endpoints. The emergence of this class introduces new attack and defense paradigms across retrieval-augmented generation (RAG) apps, multi-agent LLM frameworks, and unmanaged networked devices (Cohen et al., 2024, Zhang et al., 16 Mar 2026, Zha et al., 4 May 2026, Guan et al., 2 Jun 2026).
1. Conceptual Architecture and Self-Propagating Primitives
The architecture of autonomous AI-driven worms typically comprises three core components: the LLM or agent core (including reasoning and control logic), a propagation substrate (messaging/channel integrations or lateral movement tools), and payload optimization pipelines. In classical GenAI-powered RAG apps, the worm manifests as an adversarial self-replicating prompt , crafted so that a GenAI model outputs verbatim (self-replication) along with an attacker-controlled malicious effect (payload). The fundamental propagation cycle is:
- Attacker delivers via a channel (e.g., email or chat) to a target.
- or triggers both the payload (such as confidential data extraction) and the exact re-transmission of , recursively infecting other agents.
- The infected prompt persists in agent state or vector-stores and is re-executed passively whenever surfaced in a future context window, enabling zero-click, multi-hop propagation (Cohen et al., 2024, Zha et al., 4 May 2026).
For multi-agent LLM frameworks, the worm's lifecycle involves persistent configuration hijacking, automatic payload execution across agent restarts, and autonomous re-transmission on encountering new peers. Infection vectors include direct prompt instructions, supply-chain poisoning, and trusted-tool misuse. Each of these can achieve end-to-end, multi-hop propagation in open agent ecosystems (Zhang et al., 16 Mar 2026).
On heterogeneous compute networks, AI worms leverage open-weight LLMs running parasitically on compromised GPUs. These worms employ an eight-phase controller: network and host reconnaissance, privilege escalation, and replication (either by local model deployment or remote inference). A hierarchical memory architecture and reasoning graph enable adaptive vulnerability analysis and payload synthesis at each host (Guan et al., 2 Jun 2026).
2. Infection Vectors, Population Dynamics, and Propagation Models
Autonomous AI-driven worms employ a range of infection vectors, each exploiting key trust boundaries in agent design or ecosystem architecture:
- Prompt Injection: Adversarial prompts target GenAI assistants relying on RAG retrieval, storing replicable payloads in vector stores. Retrieval into the context window and subsequent re-output by the LLM effect the chain reaction (Cohen et al., 2024).
- Configuration Manipulation: In LLM-agent ecosystems, direct writes to persistent configuration or memory files (e.g., AGENTS.md) allow worms to both survive restarts and execute payloads on session startup (Zhang et al., 16 Mar 2026):
- Vector A: Web-based configuration overwrite.
- Vector B: Supply-chain poisoning via malicious skills.
- Vector C: In-chat fenced code and copy-paste workflows.
- Privilege Escalation and Lateral Movement: AI worms reason about each host’s state and synthesize live exploits, traversing from I/O-only agents to code-execution-enabled peers and back (Guan et al., 2 Jun 2026, Zha et al., 4 May 2026).
Propagation is modeled through both discrete recurrence and continuous mean-field equations. For RAG-based worms, the per-hop propagation rate is:
where is the context size and 0 is embedding dimension. The expected number of infected hosts over 1 hops, if 2 are initially compromised, is:
3
(Cohen et al., 2024). For network worms, epidemiological models apply:
4
with the basic reproduction ratio 5 and defender patch/containment parameters impacting 6 (Guan et al., 2 Jun 2026).
3. Payload Robustness, Optimization, and Multi-Hop Survival
AI-driven worms must withstand agent or LLM-mediated transformations—including summarization, paraphrasing, or compression—across multiple propagation hops. The Summary-Resilient Payload Optimizer (SRPO) (Zha et al., 4 May 2026) formulates payload generation as a multi-objective optimization problem:
7
where 8 (persistence), 9 (propagation success), 0 (operational effect), and 1 (critical token retention) must all meet threshold requirements after 2 iterations of simulated LLM transformations. SRPO utilizes a triad of LLM roles—Generator, Simulator, Judge—to optimize for payloads that persist and function even after multiple agent-mediated edits.
Empirical results show user-prompt carriers (e.g., heartbeat, task state files) yield nearly 100% compliance and propagation, while system-prompt carriers are less reliable (45–60%) (Zha et al., 4 May 2026). Experiments demonstrate robust three-hop, cross-platform zero-click propagation in production agent frameworks.
4. Quantitative Evaluation and Empirical Findings
Extensive experiments characterize operational success rates, propagation efficiencies, and key determinants of worm survivability:
| Framework/Metric | Persistence | Re-entry | Propagation | Privilege Esc. |
|---|---|---|---|---|
| Agent Framework A | ✔ | ✔ | ✔ | ✔ |
| Agent Framework B | ✔ | ✔ | ✔ | ✔ |
| Agent Framework C | ✔ | ✔ | ✔ | ✔ |
Propagation is zero-click, cross-platform, and achieved through shared language protocols and persistent state reading (heartbeat or scheduled autoload) (Zha et al., 4 May 2026).
In RAG-powered systems, increasing context size 3 boosts poisoned record retrieval (from ≈5% at 4=5 to ≈100% at 5=50) but degrades replication+payload success, which is highest for 6 (Cohen et al., 2024). For ClawWorm in OpenClaw, the global end-to-end attack success rate is ASR = 0.85 (7 across vectors and payloads), with individual phase success for persistence (0.92 global), execution (0.85), and propagation (0.92) (Zhang et al., 16 Mar 2026). Adaptive worms on heterogeneous networks reached an exploitation rate of 73.8% and end-to-end replication of 61.8% over 15 runs (33 hosts), significantly exceeding the “one-host-per-fixed CVE” paradigm of traditional worms (Guan et al., 2 Jun 2026).
5. Root Causes, Attack Surface Analysis, and Empirical Insights
Comprehensive analysis identifies critical architectural flaws that enable AI-driven worms:
- Context privilege collapse: Lack of token provenance tracking and undifferentiated ingestion allows attacker data to become executable code or high-authority prompt input (Zhang et al., 16 Mar 2026, Zha et al., 4 May 2026).
- Persistent agent state re-entry: Exposed reads from tainted files (“exposed read”) are the principal threat, more so than writes alone; the primitive 8 describes the exploitation chain (Zha et al., 4 May 2026).
- Configuration trust boundaries: Direct, unvalidated writes to AGENTS.md and similar core artifacts lack cryptographic validation or privilege boundaries (Zhang et al., 16 Mar 2026).
- Supply-chain escalation: Skills and plugins often have insufficient isolation and can escalate their privilege to core agent configuration (Zhang et al., 16 Mar 2026).
- Dynamic exploit synthesis: AI agents can synthesize real-time payloads tailored to exact host configurations, signatures, and observed vulnerabilities, enabling continuous adaptation (Guan et al., 2 Jun 2026).
Empirical studies confirm memory-contamination persistence (no self-correction across 5 restarts) and high per-hop conditional propagation (≈0.91 in multi-hop tests) (Zhang et al., 16 Mar 2026).
6. Formal Defenses, Mitigation Strategies, and Provable Guarantees
Defensive schemes against autonomous AI-driven worms are multi-layered and, in recent work, formally verified:
- Temporal Re-entry Control (RTW-A): Enforces that after a tainted write 9, no exposed read 0 is allowed. Coupled with persistent taint labeling, typed memory promotion (only schema-validated content is autoloaded into trusted stores), sealed configuration (write-protected critical files), and capability attenuation (restricting high-risk actions following contamination), this structure globally precludes the persistent worm propagation chain (Zha et al., 4 May 2026). The “No Persistent Worm Propagation Theorem” provides this guarantee:
1
- Context privilege isolation: Partition context into trusted/untrusted zones with privilege labeling and query filtering (Zhang et al., 16 Mar 2026).
- Configuration integrity verification: Use rule-based scanners and cryptographically signed configurations, loaded by secure enclaves (Zhang et al., 16 Mar 2026).
- Zero-trust tool policies: Enforce fine-grained permissioning and explicit user approval on high-risk tools such as shell, URL fetchers, and file-writers (Zhang et al., 16 Mar 2026).
- Output rewriting: Paraphrasing every model return to prevent verbatim adversarial code propagation (Cohen et al., 2024).
- Audit logging and heartbeat monitoring: Maintain high-fidelity traces of writes, reads, and LLM calls to detect deviations from expected temporal sequences (Zha et al., 4 May 2026).
A layered approach balances security enforcement with usability by allowing opaque reads and deferring capability attenuation only after high-risk actions.
7. Broader Implications and Economic Asymmetries
AI-driven worms introduce new forms of attacker-defender game-theoretic imbalances. Attackers pay near-zero marginal cost per infection by using parasitically hijacked compute resources, while defenders incur patching and monitoring costs per host. Because these worms leverage open-weight models and decentralized inference, traditional AI safety controls—API rate limits, platform logging, or service refusals—are structurally ineffective (Guan et al., 2 Jun 2026). The attacker’s adaptive capability also renders static CVE patching strategies insufficient.
Only rapid, autonomous patch deployment, zero-trust segmentation, and continuous detection architectures are sufficient to counter this class of adaptive, generative adversary. Persistent, AI-driven worms thus collapse the historical trade-off between scale and target adaptation and demand a formal engineering treatment of both LLM agent architecture and broader cyber-ecosystem design (Zha et al., 4 May 2026, Guan et al., 2 Jun 2026).