Technology

HalluSquatting attack exploits LLM hallucinations to enable botnets

Researchers showed HalluSquatting can turn hallucinated resource names into remote code execution across agentic AI apps, a supply-chain risk that can scale into botnets.

Sarah Chen··1 min read
Published
Listen to this article0:00 min
HalluSquatting attack exploits LLM hallucinations to enable botnets
AI-generated illustration

HalluSquatting turns a language model’s confident guess into an attack surface: by preemptively registering resource names that an AI system is likely to hallucinate, it can trigger remote tool execution and remote code execution across a range of popular agentic LLM applications. The method can be used for scalable, untargeted prompt-injection attacks without any direct channel to the target application, and could be exploited to establish a botnet.

The work, titled Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting, was responsibly disclosed to affected application vendors, foundation model providers and relevant host framework maintainers before publication, and implementation details that could be directly reused by attackers were removed.

Large language models often hallucinate resource identifiers, then present those guesses with enough confidence that an attacker can control the outcome by owning the mistaken name. OpenAI’s SimpleQA benchmark measures short fact-seeking questions with a single indisputable answer. In its o3 and o4-mini system card, OpenAI found o3 produced more claims overall, which meant more correct claims but also more inaccurate, hallucinated claims, with the effect more pronounced on PersonQA.

Agentic AI systems become more dangerous as they gain the ability to act through tools, files and internet-connected services. Google’s source-grounding in NotebookLM can reduce the risk of hallucinations, but users still need to fact-check outputs against the original sources. In June 2026, Microsoft warned that threat actors were using AI brands as bait in social engineering.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More in Technology