This work addresses the limitations of existing security frameworks in characterizing the complex, multi-stage attacks targeting large language model (LLM) systems, noting that conventional notions of “prompt injection” inadequately capture the malicious intent and operational structure of such threats. To bridge this gap, the paper introduces a novel paradigm termed “promptware,” which models LLM-based attacks as a five-stage kill chain encompassing initial access, privilege escalation, persistence, lateral movement, and objective execution. By unifying the threat description languages of AI security and traditional cybersecurity, the framework enables systematic threat modeling, attack pattern mapping, and structured analysis of real-world incidents. The authors demonstrate its applicability by successfully contextualizing several recent LLM attacks within this model, thereby validating its coherence, predictability, and utility as a foundation for designing effective defense mechanisms.

Prompt injection was initially framed as the large language model (LLM) analogue of SQL injection. However, over the past three years, attacks labeled as prompt injection have evolved from isolated input-manipulation exploits into multistep attack mechanisms that resemble malware. In this paper, we argue that prompt injections evolved into promptware, a new class of malware execution mechanism triggered through prompts engineered to exploit an application's LLM. We introduce a seven-stage promptware kill chain: Initial Access (prompt injection), Privilege Escalation (jailbreaking), Reconnaissance, Persistence (memory and retrieval poisoning), Command and Control, Lateral Movement, and Actions on Objective. We analyze thirty-six prominent studies and real-world incidents affecting production LLM systems and show that at least twenty-one documented attacks that traverse four or more stages of this kill chain, demonstrating that the threat model is not merely theoretical. We discuss the need for a defense-in-depth approach that addresses all stages of the promptware life cycle and review relevant countermeasures for each step. By moving the conversation from prompt injection to a promptware kill chain, our work provides analytical clarity, enables structured risk assessment, and lays a foundation for systematic security engineering of LLM-based systems.