Papers
Topics
Authors
Recent
Search
2000 character limit reached

Autonomous AI-Driven Worms

Updated 7 June 2026
  • Autonomous AI-driven worms are self-propagating malware systems that use large language models to dynamically generate and transmit malicious payloads.
  • They integrate multi-agent LLM frameworks with adaptive infection vectors, enabling context-aware, zero-click, multi-hop propagation across diverse networks.
  • The topic highlights challenges to traditional cybersecurity, prompting development of formal defenses, continuous monitoring, and adaptive mitigation strategies.

Autonomous AI-driven worms are self-propagating malware systems in which artificial intelligence—primarily LLMs or GenAI agents—assume autonomous control over the full infection, exploitation, and propagation cycle. Unlike traditional worms, which generally spread through hardcoded vulnerabilities and static payloads, AI-driven worms are characterized by their ability to reason, generate context-specific attack logic, adapt to heterogeneous targets, and persist or escalate across agent-based software, RAG-enhanced applications, or even infrastructure-level endpoints. The emergence of this class introduces new attack and defense paradigms across retrieval-augmented generation (RAG) apps, multi-agent LLM frameworks, and unmanaged networked devices (Cohen et al., 2024, Zhang et al., 16 Mar 2026, Zha et al., 4 May 2026, Guan et al., 2 Jun 2026).

1. Conceptual Architecture and Self-Propagating Primitives

The architecture of autonomous AI-driven worms typically comprises three core components: the LLM or agent core (including reasoning and control logic), a propagation substrate (messaging/channel integrations or lateral movement tools), and payload optimization pipelines. In classical GenAI-powered RAG apps, the worm manifests as an adversarial self-replicating prompt xx, crafted so that a GenAI model GG outputs xx verbatim (self-replication) along with an attacker-controlled malicious effect (payload). The fundamental propagation cycle is:

  1. Attacker delivers xx via a channel (e.g., email or chat) to a target.
  2. G(x)G(x) or G(wxy)G(w \| x \| y) triggers both the payload (such as confidential data extraction) and the exact re-transmission of xx, recursively infecting other agents.
  3. The infected prompt xx persists in agent state or vector-stores and is re-executed passively whenever surfaced in a future context window, enabling zero-click, multi-hop propagation (Cohen et al., 2024, Zha et al., 4 May 2026).

For multi-agent LLM frameworks, the worm's lifecycle involves persistent configuration hijacking, automatic payload execution across agent restarts, and autonomous re-transmission on encountering new peers. Infection vectors include direct prompt instructions, supply-chain poisoning, and trusted-tool misuse. Each of these can achieve end-to-end, multi-hop propagation in open agent ecosystems (Zhang et al., 16 Mar 2026).

On heterogeneous compute networks, AI worms leverage open-weight LLMs running parasitically on compromised GPUs. These worms employ an eight-phase controller: network and host reconnaissance, privilege escalation, and replication (either by local model deployment or remote inference). A hierarchical memory architecture and reasoning graph enable adaptive vulnerability analysis and payload synthesis at each host (Guan et al., 2 Jun 2026).

2. Infection Vectors, Population Dynamics, and Propagation Models

Autonomous AI-driven worms employ a range of infection vectors, each exploiting key trust boundaries in agent design or ecosystem architecture:

  • Prompt Injection: Adversarial prompts target GenAI assistants relying on RAG retrieval, storing replicable payloads in vector stores. Retrieval into the context window and subsequent re-output by the LLM effect the chain reaction (Cohen et al., 2024).
  • Configuration Manipulation: In LLM-agent ecosystems, direct writes to persistent configuration or memory files (e.g., AGENTS.md) allow worms to both survive restarts and execute payloads on session startup (Zhang et al., 16 Mar 2026):
    • Vector A: Web-based configuration overwrite.
    • Vector B: Supply-chain poisoning via malicious skills.
    • Vector C: In-chat fenced code and copy-paste workflows.
  • Privilege Escalation and Lateral Movement: AI worms reason about each host’s state and synthesize live exploits, traversing from I/O-only agents to code-execution-enabled peers and back (Guan et al., 2 Jun 2026, Zha et al., 4 May 2026).

Propagation is modeled through both discrete recurrence and continuous mean-field equations. For RAG-based worms, the per-hop propagation rate is:

p(C,d)=pretrieval(C,d)preplication(C,d)ppayload(C,d)p(C, d) = p_{\mathrm{retrieval}}(C, d) \cdot p_{\mathrm{replication}}(C, d) \cdot p_{\mathrm{payload}}(C, d)

where CC is the context size and GG0 is embedding dimension. The expected number of infected hosts over GG1 hops, if GG2 are initially compromised, is:

GG3

(Cohen et al., 2024). For network worms, epidemiological models apply:

GG4

with the basic reproduction ratio GG5 and defender patch/containment parameters impacting GG6 (Guan et al., 2 Jun 2026).

3. Payload Robustness, Optimization, and Multi-Hop Survival

AI-driven worms must withstand agent or LLM-mediated transformations—including summarization, paraphrasing, or compression—across multiple propagation hops. The Summary-Resilient Payload Optimizer (SRPO) (Zha et al., 4 May 2026) formulates payload generation as a multi-objective optimization problem:

GG7

where GG8 (persistence), GG9 (propagation success), xx0 (operational effect), and xx1 (critical token retention) must all meet threshold requirements after xx2 iterations of simulated LLM transformations. SRPO utilizes a triad of LLM roles—Generator, Simulator, Judge—to optimize for payloads that persist and function even after multiple agent-mediated edits.

Empirical results show user-prompt carriers (e.g., heartbeat, task state files) yield nearly 100% compliance and propagation, while system-prompt carriers are less reliable (45–60%) (Zha et al., 4 May 2026). Experiments demonstrate robust three-hop, cross-platform zero-click propagation in production agent frameworks.

4. Quantitative Evaluation and Empirical Findings

Extensive experiments characterize operational success rates, propagation efficiencies, and key determinants of worm survivability:

Framework/Metric Persistence Re-entry Propagation Privilege Esc.
Agent Framework A
Agent Framework B
Agent Framework C

Propagation is zero-click, cross-platform, and achieved through shared language protocols and persistent state reading (heartbeat or scheduled autoload) (Zha et al., 4 May 2026).

In RAG-powered systems, increasing context size xx3 boosts poisoned record retrieval (from ≈5% at xx4=5 to ≈100% at xx5=50) but degrades replication+payload success, which is highest for xx6 (Cohen et al., 2024). For ClawWorm in OpenClaw, the global end-to-end attack success rate is ASR = 0.85 (xx7 across vectors and payloads), with individual phase success for persistence (0.92 global), execution (0.85), and propagation (0.92) (Zhang et al., 16 Mar 2026). Adaptive worms on heterogeneous networks reached an exploitation rate of 73.8% and end-to-end replication of 61.8% over 15 runs (33 hosts), significantly exceeding the “one-host-per-fixed CVE” paradigm of traditional worms (Guan et al., 2 Jun 2026).

5. Root Causes, Attack Surface Analysis, and Empirical Insights

Comprehensive analysis identifies critical architectural flaws that enable AI-driven worms:

  • Context privilege collapse: Lack of token provenance tracking and undifferentiated ingestion allows attacker data to become executable code or high-authority prompt input (Zhang et al., 16 Mar 2026, Zha et al., 4 May 2026).
  • Persistent agent state re-entry: Exposed reads from tainted files (“exposed read”) are the principal threat, more so than writes alone; the primitive xx8 describes the exploitation chain (Zha et al., 4 May 2026).
  • Configuration trust boundaries: Direct, unvalidated writes to AGENTS.md and similar core artifacts lack cryptographic validation or privilege boundaries (Zhang et al., 16 Mar 2026).
  • Supply-chain escalation: Skills and plugins often have insufficient isolation and can escalate their privilege to core agent configuration (Zhang et al., 16 Mar 2026).
  • Dynamic exploit synthesis: AI agents can synthesize real-time payloads tailored to exact host configurations, signatures, and observed vulnerabilities, enabling continuous adaptation (Guan et al., 2 Jun 2026).

Empirical studies confirm memory-contamination persistence (no self-correction across 5 restarts) and high per-hop conditional propagation (≈0.91 in multi-hop tests) (Zhang et al., 16 Mar 2026).

6. Formal Defenses, Mitigation Strategies, and Provable Guarantees

Defensive schemes against autonomous AI-driven worms are multi-layered and, in recent work, formally verified:

  • Temporal Re-entry Control (RTW-A): Enforces that after a tainted write xx9, no exposed read xx0 is allowed. Coupled with persistent taint labeling, typed memory promotion (only schema-validated content is autoloaded into trusted stores), sealed configuration (write-protected critical files), and capability attenuation (restricting high-risk actions following contamination), this structure globally precludes the persistent worm propagation chain (Zha et al., 4 May 2026). The “No Persistent Worm Propagation Theorem” provides this guarantee:

xx1

  • Context privilege isolation: Partition context into trusted/untrusted zones with privilege labeling and query filtering (Zhang et al., 16 Mar 2026).
  • Configuration integrity verification: Use rule-based scanners and cryptographically signed configurations, loaded by secure enclaves (Zhang et al., 16 Mar 2026).
  • Zero-trust tool policies: Enforce fine-grained permissioning and explicit user approval on high-risk tools such as shell, URL fetchers, and file-writers (Zhang et al., 16 Mar 2026).
  • Output rewriting: Paraphrasing every model return to prevent verbatim adversarial code propagation (Cohen et al., 2024).
  • Audit logging and heartbeat monitoring: Maintain high-fidelity traces of writes, reads, and LLM calls to detect deviations from expected temporal sequences (Zha et al., 4 May 2026).

A layered approach balances security enforcement with usability by allowing opaque reads and deferring capability attenuation only after high-risk actions.

7. Broader Implications and Economic Asymmetries

AI-driven worms introduce new forms of attacker-defender game-theoretic imbalances. Attackers pay near-zero marginal cost per infection by using parasitically hijacked compute resources, while defenders incur patching and monitoring costs per host. Because these worms leverage open-weight models and decentralized inference, traditional AI safety controls—API rate limits, platform logging, or service refusals—are structurally ineffective (Guan et al., 2 Jun 2026). The attacker’s adaptive capability also renders static CVE patching strategies insufficient.

Only rapid, autonomous patch deployment, zero-trust segmentation, and continuous detection architectures are sufficient to counter this class of adaptive, generative adversary. Persistent, AI-driven worms thus collapse the historical trade-off between scale and target adaptation and demand a formal engineering treatment of both LLM agent architecture and broader cyber-ecosystem design (Zha et al., 4 May 2026, Guan et al., 2 Jun 2026).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Autonomous AI-Driven Worms.