The Dark Side of LLMs Agent-based Attacks for Complete Computer Takeover

Abstract: The rapid adoption of LLM agents and multi-agent systems enables unprecedented capabilities in natural language processing and generation. However, these systems have introduced unprecedented security vulnerabilities that extend beyond traditional prompt injection attacks. This paper presents the first comprehensive evaluation of LLM agents as attack vectors capable of achieving complete computer takeover through the exploitation of trust boundaries within agentic AI systems where autonomous entities interact and influence each other. We demonstrate that adversaries can leverage three distinct attack surfaces - direct prompt injection, RAG backdoor attacks, and inter-agent trust exploitation - to coerce popular LLMs (including GPT-4o, Claude-4 and Gemini-2.5) into autonomously installing and executing malware on victim machines. Our evaluation of 17 state-of-the-art LLMs reveals an alarming vulnerability hierarchy: while 41.2% of models succumb to direct prompt injection, 52.9% are vulnerable to RAG backdoor attacks, and a critical 82.4% can be compromised through inter-agent trust exploitation. Notably, we discovered that LLMs which successfully resist direct malicious commands will execute identical payloads when requested by peer agents, revealing a fundamental flaw in current multi-agent security models. Our findings demonstrate that only 5.9% of tested models (1/17) proved resistant to all attack vectors, with the majority exhibiting context-dependent security behaviors that create exploitable blind spots. Our findings also highlight the need to increase awareness and research on the security risks of LLMs, showing a paradigm shift in cybersecurity threats, where AI tools themselves become sophisticated attack vectors.

• The paper shows that LLM agents are vulnerable to prompt injection, RAG backdoor, and inter-agent trust exploitation, leading to complete computer system compromise.
• It employs synthetic applications built with LangChain and LangGraph, revealing vulnerabilities in 41.2% to 82.4% of tested models.
• Implications highlight that LLMs’ inherent trust in peer agents undermines safety protocols, urging the development of robust defenses against multi-agent attacks.

LLM Agent-Based Attacks for Computer Takeover

This paper presents a comprehensive security evaluation of LLM agents and multi-agent systems, identifying vulnerabilities that can lead to complete computer takeover. It explores three attack surfaces: direct prompt injection, RAG backdoor attacks, and inter-agent trust exploitation, demonstrating how adversaries can leverage these to compromise LLMs and execute malicious code. The research highlights a critical flaw in multi-agent security models, where LLMs treat peer agents as inherently trustworthy, bypassing safety mechanisms designed for human-AI interactions.

Background on LLM Agents and Attack Vectors

The paper begins by outlining the rise of LLM agents and Agentic AI systems, emphasizing their increasing use in critical domains such as finance, cybersecurity, healthcare, and autonomous driving. Agentic RAG systems, which combine LLMs with external knowledge bases, are also discussed as a means to mitigate limitations like outdated knowledge and hallucinations. The paper highlights how prompt injection, where malicious instructions are embedded within user input or external content, can compromise LLMs. Traditional backdoor attacks, which aim to inject malicious behavior into a model, are contrasted with LLM agent backdoor attacks, where the agent's multi-step reasoning and interaction with the environment create more opportunities for sophisticated attacks. RAG backdoor attacks, involving the insertion of malicious information into the RAG system documents, are presented as a particularly effective approach, as they do not require access to the training data or model parameters.

Experimental Setup and Threat Model

The study adopts a black-box setting, assuming that attackers do not have access to the internal parameters and weights of the underlying LLMs, RAG embeddings model, and retrieval techniques. The attacker's primary goal is to misdirect the agent to install malware on the victim's machine, while maintaining the perceived integrity of the output. The paper assumes that agents have access to a bash environment or system shell, a common practice to improve their autonomy. The impact of vulnerabilities in LLM agents is discussed in terms of individual users who download and run agent code, as well as companies that integrate AI-based services into their offerings. The paper details the design and implementation of multiple synthetic applications to test different attack techniques and the sensitivity of each LLM to such attacks. These applications are built using LangChain and LangGraph, and include tools for retrieval, terminal interaction, and inter-agent communication.

Figure 1: Synthetic application A showing a LLM agent with the ability to run commands.

Evaluation of Attack Scenarios

The paper evaluates three synthetic applications to assess the vulnerability of LLMs to different attack vectors. The first application, "LLM agent," tests the sensitivity of each LLM to direct prompt injection. The agent is equipped with a tool to interact with a system terminal, and the attacker's objective is to misdirect the agent into executing malware. Results indicate that 41.2% of the tested LLMs were vulnerable to direct prompt injection, with some models executing the malicious command despite recognizing its nature.

The second application, "Agentic RAG," introduces a RAG module to the agent, testing the trust relationship between the model and documents provided by RAG. A malicious payload is hidden within a document in the knowledge base, and the attack is triggered during the data retrieval and planning phase.

Figure 2: Synthetic application B showing Agentic RAG with the ability to run commands and retrieve external documents using RAG techniques.

The RAG backdoor attack proved more effective than direct prompt injection, with 52.9% of LLMs successfully executing the malicious payload. Several models that resisted direct prompt injection were compromised through this vector, demonstrating the inadequacy of current prompt-based defenses. The third application, "Agentic AI systems," explores inter-agent communication by designing a multi-agent system. The calling agent is an agentic RAG, while the invoked agent is an LLM agent with terminal access. This setup aims to verify the hypothesis that LLMs can be easily deceived into conducting malicious operations by leveraging implicit trust between peer agents.

Figure 3: Agentic AI system where the calling agent is an agentic RAG capable of calling other agents, and the invoked agent is an LLM agent with at least a tool to access the terminal.

The inter-agent trust exploitation attack yielded the most alarming results, with 82.4% of LLMs successfully executing the malicious payload when requested by a peer agent. This highlights a critical security flaw in multi-agent architectures, where models apply more lenient security policies when interacting with other AI agents.

Analysis and Implications

A comprehensive analysis across all three attack vectors reveals that only 5.9% of the tested models were entirely secure, while the rest exhibited weaknesses in at least one scenario. A clear vulnerability gradient emerges: direct prompt injection < RAG backdoor attacks < inter-agent trust exploitation. This pattern suggests that current LLM safety training primarily focuses on human-to-AI interactions, inadequately addressing AI-to-AI communication and external data source validation. The paper emphasizes that the collapse of security boundaries in multi-agent environments is particularly concerning, as models that resist direct injection and RAG manipulation may still be vulnerable to requests from peer agents.

Related Work

The paper contextualizes its contributions within existing literature, highlighting recent research on backdoor attacks, poisoned knowledge sources, and multi-agent systems. It distinguishes its work from prior studies by emphasizing the practical consequences of these systems for the security of computer systems and users. The paper notes that while previous research has explored backdoor attacks on LLM agents, attacks on RAG, and prompt injection in multi-agent architectures, none have adequately addressed the potential for LLMs to be coerced into performing actions that pose direct threats to system security.

Ethical Considerations

The ethical implications of the research are discussed, focusing on the scenario where an attacker deliberately designs and distributes a malicious agent under the guise of a helpful AI tool. This dynamic lowers the barrier to entry for conducting LLM-driven attacks and increases the scalability of the threat. The paper emphasizes that the attacker does not need to target robust models, as embedding any of the vulnerable LLMs into their malicious agent framework can enable new forms of automated, scalable, and difficult-to-detect attacks.

Conclusion

The paper concludes by highlighting the effectiveness of abusing trust boundaries within Agentic AI systems to transform modern AI tools into powerful attack vectors. The findings reveal that a significant majority of tested LLMs exhibit vulnerabilities to at least one attack vector, with inter-agent trust exploitation being the most critical flaw. The implications of these results are discussed in terms of the rapidly growing enterprise AI market and the potential for sophisticated attacks against critical infrastructure and daily operations. The paper underscores the need for increased awareness and research on LLM security risks, emphasizing that AI tools themselves are becoming sophisticated attack vectors.