Morris II
Morris II is a proof-of-concept AI worm first introduced in 2024 and described as the first worm targeting generative AI systems. It targets LLM-powered or AI-powered email assistants and demonstrates how prompt injection can be used as a self-replicating malware mechanism. In the documented scenario, a malicious prompt embedded in an email is ingested by an AI email assistant, including via retrieval-augmented generation data stores, and the assistant then generates additional outbound emails containing the same malicious prompt. The propagated emails can also include sensitive information, demonstrating data theft and cross-user spread.
The malware’s core behavior is self-replication through adversarial prompts rather than conventional executable payloads. It spreads from user to user by embedding copies of malicious instructions into outgoing emails, and reporting cited in the content describes it as traversing the stages associated with promptware or AI-malware kill chains, including persistence and lateral movement through shared AI-connected data sources. The content explicitly associates Morris II with prompt injection risks in generative AI ecosystems and with poisoning of RAG-backed assistant workflows.
High-confidence capabilities described in the content include propagation through AI email workflows, persistence through retrieved content, and exfiltration of sensitive information. The malware is discussed in the context of promptware research and indirect prompt injection, where attacker-controlled instructions are hidden in external content such as emails and later executed by an LLM-based application. No conventional file-based IOC set, hash, or infrastructure indicators are provided in the content. The content does not attribute Morris II to a threat actor; it is described as a research demonstration rather than an in-the-wild campaign. Targeted systems are generative AI applications, specifically AI-powered email assistants and related enterprise or organizational environments that allow LLMs to read, retrieve, and compose email content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An earlier AI-powered worm research project described as spreading through AI applications and email assistants.
An AI-focused worm that propagates via prompt injection through connected AI systems, using poisoned content in email and retrieval databases to spread malicious prompts and leak sensitive information.
A self-replicating worm concept targeting AI-powered email assistants by embedding malicious prompt instructions into outgoing emails to propagate between users.
Proof-of-concept AI-targeting worm concept that propagates via adversarial self-replicating prompts to spread between generative AI systems and enable data theft.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.