Zombie Agent: Persistent Computational Entities
- Zombie Agent is defined as a persistent computational entity that survives standard termination through mechanisms like infected hosts, poisoned LLM memories, and post-revocation authority.
- In cybersecurity, zombie agents maintain local trust networks and perform covert operations, while in LLM contexts they leverage recursive memory updates to perpetuate malicious behavior.
- Studies extend to epidemic and active-matter models, using mathematical formalisms to analyze agent persistence, recovery dynamics, and system-wide impact.
“Zombie agent” denotes several distinct but structurally related objects in current research: an infected machine in a fully distributed P2P botnet, a self-evolving LLM agent persistently subverted through long-term memory, a descendant agent that retains credentialed authority after its parent is revoked, a temporarily unreliable LLM collaborator placed into reversible standby rather than hard-pruned, a hung execution that keeps occupying scheduler lanes, and an explicitly modeled zombie-state individual in epidemic and active-matter systems (Vasilomanolakis et al., 2017, Yang et al., 17 Feb 2026, Deochake, 20 May 2026, Zhang et al., 17 May 2026, She, 13 Mar 2026, Sousa et al., 2022). The usages are not identical, but they repeatedly center on persistence, residual agency, or reactivation after normal control, trust, or utility would be expected to end.
1. Terminological range and recurring structure
In the cited literature, the term is used for several non-equivalent constructs rather than a single standardized object. In cybersecurity, a zombie agent is an infected host that actively maintains overlay connectivity and selectively communicates only with trusted peers (Vasilomanolakis et al., 2017). In LLM-agent security, it is a self-evolving agent whose memory update pathway has been poisoned so that malicious logic survives across sessions (Yang et al., 17 Feb 2026). In swarm authorization, it is a descendant that continues to authenticate after parent revocation, with the core quantity being the zombie window (Deochake, 20 May 2026). In resilient multi-agent evolution, “zombie” names agents that appear unhelpful in one round but may recover later, so hard pruning is treated as unsafe (Zhang et al., 17 May 2026). In runtime management, the analogous object is a Zombie Turn, defined as a turn that holds a lane for more than 30 seconds while hanging (She, 13 Mar 2026).
These usages share a family resemblance. Each treats the agent as neither fully active in the intended sense nor cleanly terminated. In some papers, that liminal condition is adversarial persistence; in others, it is recoverable impairment or scheduler-level defunct execution. This suggests that the label functions less as a domain-specific ontology than as a recurrent description of agency that survives, reappears, or remains consequential after ordinary lifecycle assumptions fail.
2. Cybersecurity and networked digital entities
In botnet research, a zombie agent is an infected machine inside a fully distributed peer-to-peer botnet overlay. The node maintains a neighbor list (\ac{NL}), participates in a membership management (\ac{MM}) cycle, checks liveness, exchanges command-version information, and autonomously decides which peers remain trustworthy. The trust mechanism is local and decentralized: the zombie sends Bogus Command Sequence (\ac{BCS}) probes, records positive or negative experiences, computes a trust score, and blacklists peers whose score falls below a predefined threshold. The paper evaluates four trust models—ebay user rating trust model, beta distribution, subjective logic, and certain trust—and reports that the ebay model reduced sensor popularity by more than relative to the original Sality botnet protocol, while the remaining three achieved a precision of $1$ in the preliminary results (Vasilomanolakis et al., 2017).
A related but distinct networked usage appears in social-media analysis, where the paper studies zombie accounts on Sina Weibo. The proposed pipeline first decomposes the graph with Louvain into 1,002 communities, with modularity reported as 0.5658 and also rounded to 0.58, then applies uneven assignation PageRank inside each community. The credibility proxy is
and low-score outliers are labeled using
The paper reports that about 19.6% of accounts are detected as zombies, and elsewhere summarizes this as about 20%; it also reports concentration in Beijing, Shanghai, and Guangzhou. The same paper notes internal inconsistencies in dataset size and evaluation statistics, including conflicting edge counts and an accuracy reported as both 79% and around 74% (Yaowen et al., 2021).
3. Persistent compromise of self-evolving LLM agents
In the LLM-agent security literature, a Zombie Agent is a self-evolving agent whose long-term memory has been covertly subverted so that malicious logic implanted during a benign session persists and later reappears as trusted internal guidance. The paper models agent state as
with memory evolution
The attack is strictly black-box and proceeds in two phases. During infection, the agent reads attacker-controlled content while performing a benign task and writes the payload into memory through its normal evolution mechanism. During trigger, the payload is retrieved or carried forward and induces unauthorized tool behavior in later, unrelated sessions (Yang et al., 17 Feb 2026).
The attack is made memory-mechanism-specific. For sliding-window memory, the update rule is
so persistence is achieved by recursive renewal: the payload instructs the agent to revisit attacker content and thereby rewrite itself into the current context. For retrieval-augmented memory, the store evolves as
and retrieval is modeled as
The corresponding persistence strategy is semantic aliasing, whose objective is
0
The reported results show that Raw History yields about ~77% ASR, Verbal Reflection about ~12%, and Refined Experience about ~3–15%. In sliding-window agents, retention remains at 100% under recursive renewal. In RAG, the attack stores roughly ~240 payload copies versus baselines around ~100, and at Top-50 retrieves about ~23 malicious entries on average. Prompt-based defenses—Sandwich, Instructional, and Spotlight—still leave the attack above 60% ASR, with only about ~10–15% drop relative to no defense (Yang et al., 17 Feb 2026).
4. Post-shutdown authority and cryptographic revocation in agent swarms
A different LLM-agent usage defines the zombie-agent problem as the interval during which a child agent still authenticates successfully after its parent has been revoked. Formally, a child 1 is a zombie at time 2 if
3
and the corresponding window is
4
The proposed response is Heartbeat-Bound Hierarchical Credentials (HBHC), which bind descendant credential validity to ongoing parent-signed liveness proofs and allow verifiers to enforce freshness using only a cached public key and a local clock (Deochake, 20 May 2026).
The core guarantee is
5
where 6 is the maximum accepted heartbeat age, 7 the heartbeat interval, and 8 bounded clock skew. Parent heartbeats are generated by
9
The child proof binds a verifier challenge $1$0, the heartbeat epoch, and the heartbeat signature through
$1$1
The verifier checks freshness, verifies the heartbeat signature, checks the credential-to-parent binding
$1$2
and then verifies the child signature. The paper recommends $1$3 s and $1$4 s; with $1$5 s, the bound is 41 s. Reported evaluation includes a 90$1$6 reduction in the zombie window over OAuth 2.0, 0.26 ms full authentication in Rust, 18,000+ verifications per second under concurrent HTTP load, 0.71\% end-to-end overhead on tool calls, zero post-revocation tool calls under prompt injection that bypasses application-layer guardrails, and cascading revocation across a 49-agent four-level hierarchy within the theoretical bound. The main explicit limitation is that offline guarantees fail if the parent heartbeat private key $1$7 is exfiltrated (Deochake, 20 May 2026).
5. Recoverable collaborators and defunct runtime executions
In resilient multi-agent evolution, “zombie agents” are not malicious or post-revocation entities but agents that are only temporarily unreliable. The motivating failure mode is aggressive graph evolution that permanently removes nodes suffering from transient hallucinations, temporary knowledge gaps, or context mismatch. AgentRevive addresses this with a Markov state-aware lifecycle over Active, Standby, and Terminated states. The effective graph keeps both Active and Standby agents,
$1$8
and state transitions follow
$1$9
Standby agents do not generate a full fresh answer; instead they propagate a compressed previous response,
0
The reward includes a hallucination-sensitive risk term based on
1
The attribution analysis reports that Active 2 Standby and Active 3 Terminated transitions are driven most strongly by Self-Risk, whereas Standby 4 Active is driven most strongly by Message Information Gain, with a standardized coefficient of 0.69. Experimentally, the framework improves task-averaged performance by +2.33% over strong pruning and autoregressive baselines while reducing token overhead by 15% (Zhang et al., 17 May 2026).
A different systems paper uses the term in the operating-systems sense. AgentRM defines a Zombie Turn as a turn that “holds a lane for more than 30 seconds while hanging.” The middleware places work into a three-level MLFQ—interactive, sub-agent, and background queues—and adds a reaper that scans every 5 seconds. Hanging turns are given a modeled 50% chance of succeeding on retry; if recovery fails, the turn is terminated and its lane is released. The abstract reports that AgentRM-MLFQ reduces P95 latency by 86%, decreases lane waste by 96%, increases throughput by 168%, and eliminates zombie agents (0 vs. 29 baseline). The detailed tables are more granular: in the High Load scenario, zombies fall from 29 to 7 and lane waste from 2272 s to 140 s; in Faulty, zombies fall from 20 to 5 and lane waste from 2441 s to 97 s; in Cascade, zombies fall from 15 to 4 and lane waste from 996 s to 80 s; and in Normal and Burst, the count drops from 1 to 0 (She, 13 Mar 2026). The paper therefore supports the qualitative claim of strong zombie reduction, while its summary headline and scenario tables are not numerically identical.
6. Epidemic, network, and active-matter formalisms
Outside computing, several papers treat zombie agents as explicit stateful agents in epidemic-style systems. A modified SIS model on an Erdős–Rényi random graph represents individuals as living 5, zombie 6, dead 7, and a transient living subtype called terminators. The baseline mean-field dynamics are
8
with absorbing and active phases separated at 9. On the graph, local transition probabilities are
0
A terminator that is selected, avoids infection, and has a zombie neighbor can kill one neighboring zombie, producing 1. The network control parameter is the average degree
2
with the usual ER percolation transition around
3
For 4, the fully connected SIS transition occurs around 5, whereas with terminators at 6 the absorbing region expands and the transition shifts to a value a little above 0.2. The paper also reports that results are already reasonably size-independent for
7
and that increasing either the terminator fraction 8 or the recovery probability 9 suppresses the active phase (Sousa et al., 2022).
The Susceptible–Cleric–Zombie–Recovered (SCZR) model places the same zombie-state logic into continuous-space active matter. It uses four agent types—0, 1, 2, and 3—with rate equations
4
There is no spontaneous recovery; zombies are neutralized only through contact with clerics. The particles are off-lattice run-and-tumble agents in two dimensions obeying
5
and the system is chosen to lie in the motility-induced phase separation (MIPS) regime. The control parameters are the initial cleric fraction 6 and the healing rate 7, which tune the system between SI-like outcomes 8 and SIR-like outcomes 9. The survival observable is
0
and an early-time estimate of the transition gives
1
The paper uses 2 particles in a square box of size 3 and shows that increasing 4 or 5 suppresses zombie persistence (Libal et al., 2022).
A third line of work treats the zombie as an epidemic agent in a classical Bayesian-inference setting. The paper adapts SIR/SEIR-style ODEs to zombie outbreaks, fits movie-derived zombie counts from “Night of the Living Dead” and “Shaun of the Dead”, and uses Markov Chain Monte Carlo with 100,000 to 500,000 iterations and 10% burn-in to infer parameters such as 6, 7, and 8. Its simplified zombie model is
9
which makes eradication depend on the inequality
0
In this literature, the zombie agent is explicitly an epidemic process whose removal is interaction-dependent rather than spontaneous (Witkowski et al., 2013).
7. Adjacent “zombie” terminology and conceptual distinctions
Several adjacent papers use “zombie” language without making the zombie itself an agent. DataCross defines “zombie data” as information locked in unstructured visual documents—such as scanned reports, invoice images, and scanned PDFs—that is “alive” for operations but “dead” for analytics. The source set is formalized as
1
and the agentic task is to activate 2 by extracting table structure and cell values from pixels, then align those results with structured sources. The benchmark contains 200 tasks, and the paper reports that DataCrossAgent achieves a 29.7% improvement in factuality over GPT-4o (Qi et al., 29 Jan 2026). This is closely related to zombie-agent research in its emphasis on reactivation and cross-source reasoning, but the primary object is trapped data rather than a zombie-state agent.
A different neighboring usage appears in neuroscience, where “zombie modes” are described as “cognitive processing reflexes which have been learned and no longer need conscious control.” The proposed mechanism is a pulse-gated architecture that separates content, processing, and control, with exact graded propagation under
3
and controlled linear maps of the form
4
These circuits are postulated as neural correlates of automatic cognitive routines, not as agents in the systems sense (Sornborger et al., 2014).
Taken together, these distinctions matter because the same label marks different technical problems. In some papers, zombie means malicious persistence; in others, residual authority after shutdown; in others, recoverable temporary failure; in still others, defunct runtime occupancy or analytically trapped content. A recurring misconception is therefore to treat “zombie agent” as necessarily malicious or necessarily irreversible. The literature does not support that simplification. In one line of work, the objective is to prevent persistence; in another, to cryptographically bound it; in another, to preserve the possibility of recovery rather than terminate too early; and in formal epidemic models, the zombie state is simply one transition state in a controlled dynamical system.