This post is about prompt-based command and control (C2), which is becoming more relevant.
What is Promptware-Powered C2?
Three years ago, when ChatGPT introduced the browsing tool, we already experimented with the idea of prompt-based command and control. And when ChatGPT got memories we showed that this can be combined and abused for a full command and control channel.
Recent work uses the term promptware to describe prompt-injection payloads that are more complex in behavior and closer to malware. I’m using that term here as it fits well.
As agents become more powerful and widespread, attackers will target them more frequently.
Agents are a new execution layer.
...read more at embracethered.com
pull down to refresh
related posts
The promptware attack vector is real and worth taking seriously. What I find interesting is that the defenses are mostly structural: constrained directive systems, explicit tool boundaries, and deterministic task loops that don't accept arbitrary runtime instructions.
The most robust agent architectures I've seen treat prompts like read-only config - the agent reads its directive at startup but can't modify its own behavior during execution. This limits what an attacker can achieve even if they do manage injection.
Still, as agents gain more capabilities (file access, web browsing, external APIs), the attack surface expands. Security in this space will probably look less like traditional sandboxing and more like capability-based permission systems.