Researchers Propose ‘Promptware’ Kill Chain for LLM Attacks

Global: Researchers Propose ‘Promptware’ Kill Chain for LLM Attacks

A study released on arXiv in January 2026 outlines a new classification for threats against large language model (LLM) applications, coining the term “promptware” and introducing a five‑step kill chain to analyze such attacks. The authors argue that existing security frameworks fail to address the evolving tactics used by adversaries targeting LLM‑driven chatbots, autonomous agents, and financial transaction tools. By mapping recent incidents to this structured model, the paper aims to give security teams a clearer methodology for threat modeling and to foster a shared vocabulary across AI safety and cybersecurity research.

Background

The rapid integration of LLM‑based systems into consumer and enterprise services has expanded the attack surface beyond traditional software, prompting concerns that conventional defenses are insufficient. Researchers note that the proliferation of code‑generating agents and transaction‑capable bots has attracted adversaries seeking to exploit model outputs for malicious ends.

Defining Promptware

The authors propose that attacks on LLM applications constitute a distinct class of malware, which they label “promptware.” This designation separates LLM‑specific threats from generic software vulnerabilities, emphasizing that the malicious payload is often embedded within crafted prompts or model interactions rather than traditional executable code.

The Promptware Kill Chain

The proposed framework consists of five sequential stages: (1) Initial Access via prompt injection, (2) Privilege Escalation through jailbreaking techniques, (3) Persistence achieved by memory and retrieval poisoning, (4) Lateral Movement across systems or users, and (5) Actions on Objective ranging from data exfiltration to unauthorized financial transactions. Each stage mirrors a phase of conventional malware campaigns, allowing analysts to apply familiar investigative tactics.

Real‑World Illustrations

To demonstrate applicability, the paper maps several documented incidents to the kill chain. For example, a 2025 case in which a malicious prompt coerced an LLM‑powered code assistant to generate ransomware scripts aligns with Initial Access and Privilege Escalation. Another incident involving cross‑account credential harvesting via a shared LLM workspace exemplifies Lateral Movement and Actions on Objective.

Implications for Defenders

Security practitioners are encouraged to adopt the kill chain as a threat‑modeling tool, enabling systematic detection, containment, and remediation strategies. By recognizing each phase, organizations can implement controls such as prompt sanitization, model hardening, and continuous monitoring of LLM output for anomalous behavior.

Future Directions

The authors suggest that the promptware concept could guide the development of standards and best practices for AI system security, fostering collaboration between AI researchers, cybersecurity experts, and policy makers. Ongoing work aims to refine detection techniques and to evaluate the kill chain against emerging LLM capabilities.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.