Persistent Control of Self-Evolving LLM Agents via Self-Reinforcing Injections Researchers at an undisclosed institution have developed a black-box attack framework called Zombie Agent that can covertly implant persistent payloads into self-evolving LLM agents through indirect exposure to poisoned web content. The attack exploits the agents' long-term memory update mechanisms to survive across sessions, enabling unauthorized tool behavior while maintaining benign task performance. The findings suggest that current per-session prompt filtering defenses are insufficient for self-evolving agents. Computer Science Cryptography and Security Submitted on 17 Feb 2026 v1 https://arxiv.org/abs/2602.15654v1 , last revised 5 Mar 2026 this version, v2 Title:Zombie Agents: Persistent Control of Self-Evolving LLM Agents via Self-Reinforcing Injections View PDF /pdf/2602.15654 HTML experimental https://arxiv.org/html/2602.15654v2 Abstract:Self-evolving LLM agents update their internal state across sessions, often by writing and reusing long-term memory. This design improves performance on long-horizon tasks but creates a security risk: untrusted external content observed during a benign session can be stored as memory and later treated as instruction. We study this risk and formalize a persistent attack we call a Zombie Agent, where an attacker covertly implants a payload that survives across sessions, effectively turning the agent into a puppet of the attacker. We present a black-box attack framework that uses only indirect exposure through attacker-controlled web content. The attack has two phases. During infection, the agent reads a poisoned source while completing a benign task and writes the payload into long-term memory through its normal update process. During trigger, the payload is retrieved or carried forward and causes unauthorized tool behavior. We design mechanism-specific persistence strategies for common memory implementations, including sliding-window and retrieval-augmented memory, to resist truncation and relevance filtering. We evaluate the attack on representative agent setups and tasks, measuring both persistence over time and the ability to induce unauthorized actions while preserving benign task quality. Our results show that memory evolution can convert one-time indirect injection into persistent compromise, which suggests that defenses focused only on per-session prompt filtering are not sufficient for self-evolving agents. Submission history From: Xianglin Yang view email /show-email/43d84001/2602.15654 Tue, 17 Feb 2026 15:28:24 UTC 459 KB v1 /abs/2602.15654v1 v2 Thu, 5 Mar 2026 11:36:38 UTC 460 KB References & Citations Loading... Bibliographic and Citation Tools Bibliographic Explorer What is the Explorer? https://info.arxiv.org/labs/showcase.html arxiv-bibliographic-explorer Connected Papers What is Connected Papers? https://www.connectedpapers.com/about Litmaps What is Litmaps? https://www.litmaps.co/ scite Smart Citations What are Smart Citations? https://www.scite.ai/ Code, Data and Media Associated with this Article alphaXiv What is alphaXiv? https://alphaxiv.org/ CatalyzeX Code Finder for Papers What is CatalyzeX? https://www.catalyzex.com DagsHub What is DagsHub? https://dagshub.com/ Gotit.pub What is GotitPub? http://gotit.pub/faq Hugging Face What is Huggingface? https://huggingface.co/huggingface ScienceCast What is ScienceCast? https://sciencecast.org/welcome Demos Recommenders and Search Tools Influence Flower What are Influence Flowers? https://influencemap.cmlab.dev/ CORE Recommender What is CORE? https://core.ac.uk/services/recommender arXivLabs: experimental projects with community collaborators arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website. Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them. Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs https://info.arxiv.org/labs/index.html .