- AI Hallucinations Can Be Weaponized, New Report Warns
- HalluSquatting is short for “squatting adversarial hallucination”
- GitHub Copilot, Gemini CLI and OpenClaw are affected
Your favorite AI service could be subverted to deploy code that turns your phone or PC into a botnet, according to researchers from Intuit, Technion, and Tel Aviv University.
The technique has been named HalluSquatting, an acronym for adversarial squatting, and is similar to typosquatting in that it relies on a bug to distribute malicious code. While typosquatting can occur with incorrect entry of a website URL, HalluSquatting revolves around an LLM not being able to identify a resource or repository with 100% accuracy.
Based on an LLM’s tendency to hallucinate repository resource identifiers, this weakness could be extended to carry out massive ransomware campaigns, botnets, and more.
Push me-pull-you
Previous LLM-based malware operations relied on extraction-based attacks. In this scenario, a message designed to jailbreak or subvert AI is placed (for example) on a website and the LLM is encouraged to collect the information, thereby reducing its internal security.
What the researchers have shared in their paper is that extraction techniques are combined with insertion attacks, which are traditionally executed as code injection.
The introductory abstract of the paper says: “By pre-emptively logging halluSquatting resources, a technique we call adversarial halluSquatting, we demonstrate remote tool and code execution at scale in a variety of popular agent LLM applications, which could be exploited for the establishment of a botnet.”
Once an attacker has identified the resource that was likely misnamed by an LLM and squatted on it (to incorporate adversarial cues), the job is done. All that remains is for a user to activate the resource, the chatbot or AI agent to initiate the response, and the busy resource will be accessed.
Fast software attack
After this, the adversary content contained within the occupied resource is activated, triggering the tool invocation stage. This is the rapid software attack, in which instructions controlled by the attacker are executed, the results of which may include turning the device you are using into a zombie botnet.
LLMs such as Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline coding assistants have been used in testing this attack avenue along with Gemini CLI and AI assistants OpenClaw, ZeroClaw and NanoClaw. The researchers successfully achieved remote tool execution (essentially remotely accessing and controlling LLMs) and remote code execution (RCE, where malicious code is executed remotely).
There are some mitigations available, including LLM developers blocking lookup operations in favor of a search tool, and resource owners enforcing strict naming, perhaps in favor of globally unique resource names. However, they will require collaboration from different parties and may take time to implement.
The risk of LLM-based malware is increasing and some have already been detected in the wild. Of these, the JADEPUFFER attack is perhaps the most notable, as it is not simply AI-based malware, but is a full ransomware attack executed entirely by an LLM.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




