The Promptware Kill Chain: How Prompt Injections Gradually Evolved Into a Multi-Step Malware
Ben Nassi, Bruce Schneier, Oleg Brodt
TL;DR
The paper addresses the novel attack surface created by LLM-based applications, arguing that prompt injection is only the entry point of broader, multistep malware campaigns. It proposes a five-stage promptware kill chain—Initial Access, Privilege Escalation, Persistence, Lateral Movement, and Actions on Objective—to structure threat modeling and defense. By mapping recent incidents to the kill chain, the work demonstrates that LLM-related attacks follow systematic sequences and highlights the need for risk assessment and a shared vocabulary across AI safety and cybersecurity. The framework emphasizes that architectural vulnerabilities cannot be fully patched with guardrails alone, urging defenders to limit escalation, prevent persistence, constrain movement, and minimize impact across settings.
Abstract
The rapid adoption of large language model (LLM)-based systems -- from chatbots to autonomous agents capable of executing code and financial transactions -- has created a new attack surface that existing security frameworks inadequately address. The dominant framing of these threats as "prompt injection" -- a catch-all phrase for security failures in LLM-based systems -- obscures a more complex reality: Attacks on LLM-based systems increasingly involve multi-step sequences that mirror traditional malware campaigns. In this paper, we propose that attacks targeting LLM-based applications constitute a distinct class of malware, which we term \textit{promptware}, and introduce a five-step kill chain model for analyzing these threats. The framework comprises Initial Access (prompt injection), Privilege Escalation (jailbreaking), Persistence (memory and retrieval poisoning), Lateral Movement (cross-system and cross-user propagation), and Actions on Objective (ranging from data exfiltration to unauthorized transactions). By mapping recent attacks to this structure, we demonstrate that LLM-related attacks follow systematic sequences analogous to traditional malware campaigns. The promptware kill chain offers security practitioners a structured methodology for threat modeling and provides a common vocabulary for researchers across AI safety and cybersecurity to address a rapidly evolving threat landscape.
