, the kill chain concludes with Actions on Objective. The goal of promptware is
not just to make a chatbot say something offensive; it is often to achieve
tangible malicious outcomes through data exfiltration, financial fraud, or even
physical world impact. There are examples of AI agents being manipulated into
selling cars for a single dollar or transferring cryptocurrency to an attacker?s
wallet. Most alarmingly, agents with coding capabilities can be tricked into
executing arbitrary code, granting the attacker total control over the AI?s
underlying system. The outcome of this stage determines the type of malware
executed by promptware, including infostealer, spyware, and cryptostealer, among
others.

The kill chain was already demonstrated. For example, in the research
?Invitation Is All You Need,? attackers achieved initial access by embedding a
malicious prompt in the title of a Google Calendar invitation. The prompt then
leveraged an advanced technique known as delayed tool invocation to coerce the
LLM into executing the injected instructions. Because the prompt was embedded in
a Google Calendar artifact, it persisted in the long-term memory of the user?s
workspace. Lateral movement occurred when the prompt instructed the Google
Assistant to launch the Zoom application, and the final objective involved
covertly livestreaming video of the unsuspecting user who had merely asked about
their upcoming meetings. C2 and reconnaissance weren?t demonstrated in this
attack.

Similarly, the ?Here Comes the AI Worm? research demonstrated another end-to-end
realization of the kill chain. In this case, initial access was achieved via a
prompt injected into an email sent to the victim. The prompt employed a
role-playing technique to compel the LLM to follow the attacker?s instructions.
Since the prompt was embedded in an email, it likewise persisted in the
long-term memory of the user?s workspace. The injected prompt instructed the LLM
to replicate itself and exfiltrate sensitive user data, leading to off-device
lateral movement when the email assistant was later asked to draft new emails.
These emails, containing sensitive information, were subsequently sent by the
user to additional recipients, resulting in the infection of new clients and a
sublinear propagation of the attack. C2 and reconnaissance weren?t demonstrated
in this attack.

The promptware kill chain gives us a framework for understanding these and
similar attacks; the paper characterizes dozens of them. Prompt injection isn?t
something we can fix in current LLM technology. Instead, we need an in-depth
defensive strategy that assumes initial access will occur and focuses on
breaking the chain at subsequent steps, including by limiting privilege
escalation, constraining reconnaissance, preventing persistence, disrupting C2,
and restricting the actions an agent is permitted to take. By understanding
promptware as a complex, multistage malware campaign, we can shift from reactive
patching to systematic risk management, securing the critical systems we are so
eager to build.

This essay was written with Oleg Brodt, Elad Feldman and Ben Nassi, and
originally appeared in Lawfare.

** *** ***** ******* *********** *************
Side-Channel Attacks Against LLMs

[2026.02.17] Here are three papers describing different side-channel attacks
against LLMs.

?Remote Timing Attacks on Efficient Language Model Inference?:

    Abstract: Scaling up language models has significantly increased their
capabilities. But larger models are slower models, and so there is now an
extensive body of work (e.g., speculative sampling or parallel decoding) that
improves the (average case) efficiency of language model generation. But these
techniques introduce data-dependent timing characteristics. We show it is
possible to exploit these timing differences to mount a timing attack. By
monitoring the (encrypted) network traffic between a victim user and a remote
language model, we can learn information about the content of messages by noting
when responses are faster or slower. With complete black-box access, on open
source systems we show how it is possible to learn the topic of a user?s
conversation (e.g., medical advice vs. coding assistance) with 90%+ precision,
and on production systems like OpenAI?s ChatGPT and Anthropic?s Claude we can
distinguish between specific messages or infer the user?s language. We further
show that an active adversary can leverage a boosting attack to recover PII
placed in messages (e.g., phone numbers or credit card numbers) for open source
systems. We conclude with potential defenses and directions for future work.

?When Speculation Spills Secrets: Side Channels via Speculative Decoding in
LLMs?:

    Abstract: Deployed large language models (LLMs) often rely on speculative
decoding, a technique that generates and verifies multiple candidate tokens in
parallel, to improve throughput and latency. In this work, we reveal a new
side-channel whereby input-dependent patterns of correct and incorrect
speculations can be inferred by monitoring per-iteration token counts or packet
sizes. In evaluations using research prototypes and production-grade vLLM
serving frameworks, we show that an adversary monitoring these patterns can
fingerprint user queries (from a set of 50 prompts) with over 75% accuracy
across four speculative-decoding schemes at temperature 0.3: REST (100%), LADE
(91.6%), BiLD (95.2%), and EAGLE (77.6%). Even at temperature 1.0, accuracy
remains far above the 2% random baseline -- REST (99.6%), LADE (61.2%), BiLD
(63.6%), and EAGLE (24%). We also show the capability of the attacker to leak
confidential datastore contents used for prediction at rates exceeding 25
tokens/sec. To defend against these, we propose and evaluate a suite of
mitigations, including packet padding and iteration-wise token aggregation.

?Whisper Leak: a side-channel attack on Large Language Models?:

    Abstract: Large Language Models (LLMs) are increasingly deployed in
sensitive domains including healthcare, legal services, and confidential
communications, where privacy is paramount. This paper introduces Whisper Leak,
a side-channel attack that infers user prompt topics from encrypted LLM traffic
by analyzing packet size and timing patterns in streaming responses. Despite TLS
encryption protecting content, these metadata patterns leak sufficient
information to enable topic classification. We demonstrate the attack across 28
popular LLMs from major providers, achieving near-perfect classification (often
>98% AUPRC) and high precision even at extreme class imbalance (10,000:1
noise-to-target ratio). For many models, we achieve 100% precision in
identifying sensitive topics like ?money laundering? while recovering 5-20% of
target conversations. This industry-wide vulnerability poses significant risks
for users under network surveillance by ISPs, governments, or local adversaries.
We evaluate three mitigation strategies -- random padding, token batching, and
packet injection -- finding that while each reduces attack effectiveness, none
provides compl
--- FMail-lnx 2.3.2.6-B20251227
 * Origin: TCOB1 A Mail Only System (618:500/1)