{"id":"https://openalex.org/W7130430182","doi":"https://doi.org/10.48550/arxiv.2602.15654","title":"Zombie Agents: Persistent Control of Self-Evolving LLM Agents via Self-Reinforcing Injections","display_name":"Zombie Agents: Persistent Control of Self-Evolving LLM Agents via Self-Reinforcing Injections","publication_year":2026,"publication_date":"2026-02-17","ids":{"openalex":"https://openalex.org/W7130430182","doi":"https://doi.org/10.48550/arxiv.2602.15654"},"language":null,"primary_location":{"id":"pmh:doi:10.48550/arxiv.2602.15654","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":null,"any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5126279726","display_name":"Xianglin Yang","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Yang, Xianglin","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5126310136","display_name":"Yufei He","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"He, Yufei","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5126292818","display_name":"Shuo Ji","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ji, Shuo","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5093876095","display_name":"Bryan Hooi","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Hooi, Bryan","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5126329687","display_name":"Jin Song Dong","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Dong, Jin Song","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5126279726"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.3125,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.3125,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10639","display_name":"Advanced Software Engineering Methodologies","score":0.10540000349283218,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.06319999694824219,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/payload","display_name":"Payload (computing)","score":0.760699987411499},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.640999972820282},{"id":"https://openalex.org/keywords/session","display_name":"Session (web analytics)","score":0.5867000222206116},{"id":"https://openalex.org/keywords/reuse","display_name":"Reuse","score":0.512499988079071},{"id":"https://openalex.org/keywords/zombie","display_name":"Zombie","score":0.4925999939441681},{"id":"https://openalex.org/keywords/relevance","display_name":"Relevance (law)","score":0.45500001311302185},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.44440001249313354},{"id":"https://openalex.org/keywords/blocking","display_name":"Blocking (statistics)","score":0.39410001039505005}],"concepts":[{"id":"https://openalex.org/C134066672","wikidata":"https://www.wikidata.org/wiki/Q1424639","display_name":"Payload (computing)","level":3,"score":0.760699987411499},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7598999738693237},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.640999972820282},{"id":"https://openalex.org/C2779182362","wikidata":"https://www.wikidata.org/wiki/Q17126187","display_name":"Session (web analytics)","level":2,"score":0.5867000222206116},{"id":"https://openalex.org/C206588197","wikidata":"https://www.wikidata.org/wiki/Q846574","display_name":"Reuse","level":2,"score":0.512499988079071},{"id":"https://openalex.org/C144446859","wikidata":"https://www.wikidata.org/wiki/Q219164","display_name":"Zombie","level":2,"score":0.4925999939441681},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4569000005722046},{"id":"https://openalex.org/C158154518","wikidata":"https://www.wikidata.org/wiki/Q7310970","display_name":"Relevance (law)","level":2,"score":0.45500001311302185},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.44440001249313354},{"id":"https://openalex.org/C144745244","wikidata":"https://www.wikidata.org/wiki/Q4927286","display_name":"Blocking (statistics)","level":2,"score":0.39410001039505005},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.3677000105381012},{"id":"https://openalex.org/C2781085045","wikidata":"https://www.wikidata.org/wiki/Q7318308","display_name":"Reversing","level":2,"score":0.3573000133037567},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.31459999084472656},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.3000999987125397},{"id":"https://openalex.org/C2781009140","wikidata":"https://www.wikidata.org/wiki/Q7170389","display_name":"Persistence (discontinuity)","level":2,"score":0.29989999532699585},{"id":"https://openalex.org/C48103436","wikidata":"https://www.wikidata.org/wiki/Q599031","display_name":"State (computer science)","level":2,"score":0.28760001063346863},{"id":"https://openalex.org/C2779010991","wikidata":"https://www.wikidata.org/wiki/Q2720909","display_name":"Artifact (error)","level":2,"score":0.2802000045776367},{"id":"https://openalex.org/C2780385302","wikidata":"https://www.wikidata.org/wiki/Q367158","display_name":"Protocol (science)","level":3,"score":0.2703000009059906},{"id":"https://openalex.org/C106195933","wikidata":"https://www.wikidata.org/wiki/Q7847935","display_name":"Truncation (statistics)","level":2,"score":0.2500999867916107}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:doi:10.48550/arxiv.2602.15654","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},{"id":"doi:10.48550/arxiv.2602.15654","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2602.15654","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:doi:10.48550/arxiv.2602.15654","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Self-evolving":[0],"LLM":[1],"agents":[2],"update":[3,124],"their":[4],"internal":[5],"state":[6],"across":[7,69],"sessions,":[8,70],"often":[9],"by":[10],"writing":[11],"and":[12,41,50,114,135,151,157,168,175],"reusing":[13],"long-term":[14,119],"memory.":[15],"This":[16],"design":[17,141],"improves":[18],"performance":[19],"on":[20,164,207],"long-horizon":[21],"tasks":[22],"but":[23],"creates":[24],"a":[25,33,52,57,65,76,83,106,111],"security":[26],"risk:":[27],"untrusted":[28],"external":[29],"content":[30],"observed":[31],"during":[32],"benign":[34,112,184],"session":[35],"can":[36,193],"be":[37],"stored":[38],"as":[39,44],"memory":[40,120,147,191],"later":[42],"treated":[43],"instruction.":[45],"We":[46,81,140,160],"study":[47],"this":[48],"risk":[49],"formalize":[51],"persistent":[53,199],"attack":[54,85,97,163],"we":[55],"call":[56],"Zombie":[58],"Agent,":[59],"where":[60],"an":[61],"attacker":[62],"covertly":[63],"implants":[64],"payload":[66,117,129],"that":[67,87,190,203],"survives":[68],"effectively":[71],"turning":[72],"the":[73,79,103,116,128,162,176],"agent":[74,104,166],"into":[75,118,198],"puppet":[77],"of":[78],"attacker.":[80],"present":[82],"black-box":[84],"framework":[86],"uses":[88],"only":[89,206],"indirect":[90,196],"exposure":[91],"through":[92,121],"attacker-controlled":[93],"web":[94],"content.":[95],"The":[96],"has":[98],"two":[99],"phases.":[100],"During":[101,126],"infection,":[102],"reads":[105],"poisoned":[107],"source":[108],"while":[109,182],"completing":[110],"task":[113,185],"writes":[115],"its":[122],"normal":[123],"process.":[125],"trigger,":[127],"is":[130],"retrieved":[131],"or":[132],"carried":[133],"forward":[134],"causes":[136],"unauthorized":[137,180],"tool":[138],"behavior.":[139],"mechanism-specific":[142],"persistence":[143,172],"strategies":[144],"for":[145,214],"common":[146],"implementations,":[148],"including":[149],"sliding-window":[150],"retrieval-augmented":[152],"memory,":[153],"to":[154,178],"resist":[155],"truncation":[156],"relevance":[158],"filtering.":[159],"evaluate":[161],"representative":[165],"setups":[167],"tasks,":[169],"measuring":[170],"both":[171],"over":[173],"time":[174],"ability":[177],"induce":[179],"actions":[181],"preserving":[183],"quality.":[186],"Our":[187],"results":[188],"show":[189],"evolution":[192],"convert":[194],"one-time":[195],"injection":[197],"compromise,":[200],"which":[201],"suggests":[202],"defenses":[204],"focused":[205],"per-session":[208],"prompt":[209],"filtering":[210],"are":[211],"not":[212],"sufficient":[213],"self-evolving":[215],"agents.":[216]},"counts_by_year":[],"updated_date":"2026-04-04T16:13:02.066488","created_date":"2026-02-19T00:00:00"}