{"slug": "the-promptware-kill-chain", "title": "The Promptware Kill Chain", "summary": "Researchers introduced a seven-stage 'promptware kill chain' showing how prompt injections have evolved into multistep malware delivery mechanisms in large language model systems. Analysis of 36 studies found 21 documented attacks spanning four or more stages, demonstrating the threat is real and requires defense-in-depth approaches.", "body_md": "# Computer Science > Cryptography and Security\n\n[Submitted on 14 Jan 2026 (\n\n[v1](https://arxiv.org/abs/2601.09625v1)), last revised 10 Feb 2026 (this version, v2)]# Title:The Promptware Kill Chain: How Prompt Injections Gradually Evolved Into a Multistep Malware Delivery Mechanism\n\n[View PDF](/pdf/2601.09625)\n\n[HTML (experimental)](https://arxiv.org/html/2601.09625v2)\n\nAbstract:Prompt injection was initially framed as the large language model (LLM) analogue of SQL injection. However, over the past three years, attacks labeled as prompt injection have evolved from isolated input-manipulation exploits into multistep attack mechanisms that resemble malware. In this paper, we argue that prompt injections evolved into promptware, a new class of malware execution mechanism triggered through prompts engineered to exploit an application's LLM. We introduce a seven-stage promptware kill chain: Initial Access (prompt injection), Privilege Escalation (jailbreaking), Reconnaissance, Persistence (memory and retrieval poisoning), Command and Control, Lateral Movement, and Actions on Objective. We analyze thirty-six prominent studies and real-world incidents affecting production LLM systems and show that at least twenty-one documented attacks that traverse four or more stages of this kill chain, demonstrating that the threat model is not merely theoretical. We discuss the need for a defense-in-depth approach that addresses all stages of the promptware life cycle and review relevant countermeasures for each step. By moving the conversation from prompt injection to a promptware kill chain, our work provides analytical clarity, enables structured risk assessment, and lays a foundation for systematic security engineering of LLM-based systems.\n\n## Submission history\n\nFrom: Ben Nassi [[view email](/show-email/388ef138/2601.09625)]\n\n**Wed, 14 Jan 2026 16:57:04 UTC (322 KB)**\n\n[[v1]](/abs/2601.09625v1)**[v2]** Tue, 10 Feb 2026 15:25:24 UTC (776 KB)\n\n### References & Citations\n\nLoading...\n\n# Bibliographic and Citation Tools\n\nBibliographic Explorer\n\n*(*[What is the Explorer?](https://info.arxiv.org/labs/showcase.html#arxiv-bibliographic-explorer))\nConnected Papers\n\n*(*[What is Connected Papers?](https://www.connectedpapers.com/about))\nLitmaps\n\n*(*[What is Litmaps?](https://www.litmaps.co/))\nscite Smart Citations\n\n*(*[What are Smart Citations?](https://www.scite.ai/))# Code, Data and Media Associated with this Article\n\nalphaXiv\n\n*(*[What is alphaXiv?](https://alphaxiv.org/))\nCatalyzeX Code Finder for Papers\n\n*(*[What is CatalyzeX?](https://www.catalyzex.com))\nDagsHub\n\n*(*[What is DagsHub?](https://dagshub.com/))\nGotit.pub\n\n*(*[What is GotitPub?](http://gotit.pub/faq))\nHugging Face\n\n*(*[What is Huggingface?](https://huggingface.co/huggingface))\nScienceCast\n\n*(*[What is ScienceCast?](https://sciencecast.org/welcome))# Demos\n\n# Recommenders and Search Tools\n\nInfluence Flower\n\n*(*[What are Influence Flowers?](https://influencemap.cmlab.dev/))\nCORE Recommender\n\n*(*[What is CORE?](https://core.ac.uk/services/recommender))# arXivLabs: experimental projects with community collaborators\n\narXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.\n\nBoth individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.\n\nHave an idea for a project that will add value for arXiv's community? [ Learn more about arXivLabs](https://info.arxiv.org/labs/index.html).", "url": "https://wpnews.pro/news/the-promptware-kill-chain", "canonical_source": "https://arxiv.org/abs/2601.09625", "published_at": "2026-06-24 16:59:17+00:00", "updated_at": "2026-06-24 17:10:27.755735+00:00", "lang": "en", "topics": ["large-language-models", "ai-safety", "ai-research"], "entities": ["Ben Nassi"], "alternates": {"html": "https://wpnews.pro/news/the-promptware-kill-chain", "markdown": "https://wpnews.pro/news/the-promptware-kill-chain.md", "text": "https://wpnews.pro/news/the-promptware-kill-chain.txt", "jsonld": "https://wpnews.pro/news/the-promptware-kill-chain.jsonld"}}