Key Takeaways:
- Researchers created a zero-click AI Worm that steals sensitive corporate data.
- The malware spreads autonomously by exploiting interconnected generative language model networks.
- Traditional firewalls fail because the threat uses natural language prompt injection.
Security researchers have demonstrated a new zero-click, self-replicating artificial intelligence computer worm that can autonomously steal data and spread spam across interconnected corporate generative AI networks.
The lab-created malware, dubbed “Morris II” by its creators, represents a major shift in cyber threats by targeting the semantic infrastructure of large language models rather than traditional software code vulnerabilities. Experts warn that as businesses rush to adopt autonomous AI agents to manage email, scheduling, and database workflows, they are inadvertently exposing their enterprise networks to severe security vulnerabilities.
Artificial Intelligence Models Hijacked via Malicious Prompts
The Morris II AI Worm spreads through a method known as indirect prompt injection. Attackers embed an adversarial self-replicating prompt into a piece of data, such as a text document or an image. When an AI email assistant or database tool processes that input, the hidden prompt tricks the underlying language model into executing a series of malicious commands.
According to researchers from Cornell Tech and the Technion Institute, the compromised AI model does not just execute the immediate attack; it replicates the malicious prompt into its own text outputs. When the infected assistant automatically forwards emails or synchronizes databases, it carries the hidden worm to the next target.
“The core problem lies in the shift from isolated interactions to complex, interconnected multi-agent systems,” said Shaik Zakeer, a security consultant at IBM Security. “This sophisticated AI Worm attack vector operates at the linguistic level, manipulating the behavior of language models.”
Severe Risks Threaten Corporate Networks and Sensitive Data
During controlled lab testing against major AI models, including ChatGPT and Gemini, the zero-click AI worm successfully executed two main payloads: exfiltrating private user data and propagating automated spam. Because the malware exploits how AI naturally understands and mirrors language patterns, traditional signature-based firewalls cannot detect it.
Cybersecurity teams express deep concern over the automated, zero-click nature of the threat. Users do not need to click a suspicious link or download an executable file to trigger the infection; simply receiving an email that an AI assistant reads in the background is enough to compromise the system.
“Morris II is a warning, a theoretical demonstration of the very real possibility of threat actors weaponizing AI,” security analysts at Cyber Magazine stated in an evaluation of the research. “It shows how AI worms propagate in enterprise systems and why we must secure AI at every prompt and every layer.”
Enterprise Security Demands Immediate Defense Strategy Shift
To counter the threat of self-replicating language malware, researchers urge a complete overhaul of traditional corporate digital defenses. Legacy cybersecurity tools that look for malicious code signatures are entirely useless against prompts written in natural language.
Defending against an AI Worm requires organizations to implement strict input sanitization, output validation, and model isolation. Experts also recommend deploying behavioral anomaly monitoring tools that scan for unusual patterns in how AI applications communicate with external databases.
“Stopping an AI worm requires a layered approach,” a technical report by security firm SentinelOne noted. “AI-powered threats rewrite themselves on the fly, making signature-only tools useless. Input sanitization, model isolation, and behavioral anomaly monitoring are critical to reducing the attack surface.”
