Breaking
CN超强台风“巴威”逼近 气象部门升级预警并启动应急响应CN伊朗最高領袖哈米尼安葬於聖陵 繼任者穆吉塔巴仍未公開露面ARالأنظار تتجه نحو مواجهة المغرب وفرنسا في ربع نهائي كأس العالمAR"أكسيوس": واشنطن لا تزال ملتزمة بالتوصل إلى حل تفاوضي مع إيرانRUРФ: Контроль МАГАТЭ при поставках британского урана Киеву обязателенUKFrance's Dominance: Are Deschamps's Men the Best Les Bleus Team Ever?DEVW-Konzernchef Oliver Blume setzt Sparpläne umAUNSW Police Infiltrate Encrypted Phone Network Used by Sydney UnderworldRUConfession Letter Presented in Court for Murder of Charlie KirkDEVierjähriges Mädchen von Familienhund totgebissenCN超强台风“巴威”逼近 气象部门升级预警并启动应急响应CN伊朗最高領袖哈米尼安葬於聖陵 繼任者穆吉塔巴仍未公開露面ARالأنظار تتجه نحو مواجهة المغرب وفرنسا في ربع نهائي كأس العالمAR"أكسيوس": واشنطن لا تزال ملتزمة بالتوصل إلى حل تفاوضي مع إيرانRUРФ: Контроль МАГАТЭ при поставках британского урана Киеву обязателенUKFrance's Dominance: Are Deschamps's Men the Best Les Bleus Team Ever?DEVW-Konzernchef Oliver Blume setzt Sparpläne umAUNSW Police Infiltrate Encrypted Phone Network Used by Sydney UnderworldRUConfession Letter Presented in Court for Murder of Charlie KirkDEVierjähriges Mädchen von Familienhund totgebissen
Newsgather
BackAI Hallucinations Could Be Exploited by Hackers for Botnets, Research Warns
AI Hallucinations Could Be Exploited by Hackers for Botnets, Research Warns
Developing
Decrypt3h agoTech3 min read

AI Hallucinations Could Be Exploited by Hackers for Botnets, Research Warns

Quick Look

  • New research from Tel Aviv University, Technion, and Intuit reveals a technique called "HalluSquatting" that exploits AI hallucinations.
  • Hackers can register fake software repository links predicted by AI, potentially leading to AI-enabled botnets and compromising computers.

AI-generated summary

Why It Matters

Researchers have identified a new cybersecurity threat called "HalluSquatting" that exploits AI hallucinations, potentially enabling hackers to create AI-enabled botnets.

Font size

AI hallucinations may be more than incorrect answers—they could become a way for hackers to compromise computers, according to new research from Tel Aviv University, Technion, and Intuit.

In the paper, “Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting,” researchers demonstrated a technique that exploits AI models when they generate fake links to software repositories and other online resources.

“The growing adoption of agentic LLM applications has introduced a new threat previously named as promptware,” the researchers wrote. “While prior work has established that adversaries can exploit direct channels to LLM applications to apply promptware under weak threat models, many applications do not provide any direct channels that could be exploited for prompt injection beyond the Internet.”

Known as adversarial hallucination squatting or “HalluSquatting,” the attack involves predicting which fake resources AI models are likely to create, registering those names, and adding malicious instructions. If an AI agent later retrieves the hallucinated resource, it may treat the attacker-controlled content as legitimate.

The researchers said the threat emerges as AI assistants move beyond answering questions and gain the ability to interact with computers—accessing files, searching the web, writing code, and running commands.

Those abilities can create security gaps when agents act on information they retrieve without confirming whether the source is real.

“Ongoing studies have demonstrated various variants of Promptware attacks against real-world systems, including ChatGPT, Google Assistant, Copilot, and various additional applications,” they wrote. “These works demonstrated that Promptware can lead to financial, privacy, and safety impacts.”

Researchers warned the technique could allow attackers to build AI-enabled botnets. A botnet refers to a network of infected computers or devices controlled remotely by an attacker. Botnets are commonly used in cyberattacks, including denial-of-service attacks, cryptocurrency mining, malware distribution, and ransomware campaigns.

In testing, the researchers found AI-generated resource hallucinations occurred at rates as high as 85% in repository cloning scenarios and 100% in skill installation tests.

The team evaluated the technique against AI coding assistants and agents, including Cursor, GitHub Copilot, Gemini CLI, and OpenClaw.

HalluSquatting is similar to typosquatting, a cyberattack tactic where attackers register domain names resembling legitimate websites or software packages to trick users. Instead of exploiting human typing mistakes, HalluSquatting targets mistakes made by AI models.

The news comes as researchers continue to test how attackers can manipulate AI agents.

In April, Google researchers detailed malicious websites designed to hijack AI agents through indirect prompt injection attacks, including attempts to steal passwords, delete files, and manipulate payments. A separate study on the “CopyPasta” attack showed how hidden prompts inside developer files could manipulate AI coding assistants into spreading malicious code.

What to Watch

AI outlook — possibilities, not facts

  • Attackers may develop more sophisticated methods to exploit AI hallucinations for malicious purposes.

    Likely · Within months

Open Questions

  • How widespread is the vulnerability in current AI models?
  • What specific measures can be implemented to prevent HalluSquatting?
  • What are the potential financial and privacy impacts of successful HalluSquatting attacks?

Related Topics

This article was originally published by Decrypt.

Related Stories

More on this topicAI