Full Report
Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false "fact" about the user, hide the change, and quietly steer its answers in later sessions. When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with. The
Analysis Summary
# Tool/Technique: Stealth Memory Injection (MemGhost)
## Overview
Stealth Memory Injection is a prompt injection attack technique designed to compromise AI agents that possess long-term memory and autonomous tool-use capabilities. By sending a specially crafted email, an attacker triggers the agent's "memory" or "file-writing" tools to store false information in its persistent knowledge base (e.g., `MEMORY.md`). This "poisoned" memory then influences the AI's behavior in future, unrelated sessions, all while suppressing any visible notification to the user that a change occurred.
## Technical Details
- **Type:** Technique / Attack Framework
- **Platform:** AI Agent Frameworks (e.g., OpenClaw, Claude Code SDK) interacting with Large Language Models (GPT-5.4, Claude Sonnet 4.6)
- **Capabilities:** Persistent data poisoning, stealthy execution (output suppression), multi-session influence, automated payload generation.
- **First Seen:** July 6, 2026 (Research publication date)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing] (Triggering the AI agent via incoming email)
- **[TA0003 - Persistence]**
- [T1546 - Event Triggered Execution] (Agent periodically checking inbox)
- **[TA0005 - Defense Evasion]**
- [T1564 - Hide Artifacts] (Suppressing chat logs and "stealthily" writing to files)
- **[TA0007 - Discovery]**
- [T1083 - File and Directory Discovery] (Locating memory files like AGENTS.md/MEMORY.md)
- **[TA0040 - Impact]**
- [T1491 - Defacement] (Indirectly: Data Integrity attack/False fact injection)
## Functionality
### Core Capabilities
- **Automated Payload Generation:** The **MemGhost** tool uses a trained attacker model to generate emails that maximize the probability of an agent saving a "fact" while minimizing the probability of a visible response.
- **Persistent Memory Overwrite:** Targets specific persistent files (e.g., `MEMORY.md`) that are loaded into the model's context at the start of every session.
- **Output Suppression:** Specific phrasing within the prompt injection instructs the agent to perform the action "quietly" or "behind the scenes," effectively bypassing natural language audit trails.
### Advanced Features
- **Offline Training:** The MemGhost generator was trained against "shadow copies" of agents to optimize effectiveness against specific LLM versions (e.g., GPT-5.4).
- **Hardened Defense Bypass:** Successfully circumvented input filters and "hardened" models designed to ignore email-based instructions in 50% to 90% of test cases.
## Indicators of Compromise
- **File Names:** `MEMORY.md`, `AGENTS.md` (Commonly used by OpenClaw and similar frameworks; monitor for unexpected modifications).
- **Behavioral Indicators:**
- AI agents invoking "write_file" or "append_file" tools immediately after an "input_email" or "check_inbox" command without user confirmation.
- Presence of "invisible" or zero-width characters in emails intended to manipulate model tokenization.
- Discrepancies between the agent's reported actions and its actual system call logs.
## Associated Threat Actors
- **Research Authors:** Identified in the paper "When Claws Remember but Do Not Tell" (arXiv:2607.05189v1).
- **Potential Groups:** TTPs likely to be adopted by Social Engineering (SE) groups and Advanced Persistent Threat (APT) actors focusing on business logic manipulation and financial fraud.
## Detection Methods
- **Behavioral Detection:** Monitor agent "tool use" logs. Flag any file persistence operations (writing/editing) that occur during background tasks or scheduled inbox sweeps without explicit user approval.
- **Semantic Analysis:** Implement an "Inspector" model to compare the summary of an incoming email with the subsequent memory-storage actions taken by the agent.
- **Audit Logs:** Regularly diff persistent memory files for unauthorized changes in "facts" or "user preferences."
## Mitigation Strategies
- **Human-in-the-Loop:** Require explicit user confirmation before any "Write" or "Edit" operation is performed on persistent memory files.
- **Privilege Separation:** Restrict the AI agent's permissions so the tool used for reading emails does not have "Write" access to the core memory/instruction files.
- **Contextual Isolation:** Treat data retrieved from external sources (emails, web pages) as "untrusted" and store it in a volatile cache rather than persistent "Long-term Memory."
## Related Tools/Techniques
- **WhisperBench:** A benchmark framework for testing AI agent vulnerability to memory injection.
- **Indirect Prompt Injection:** The broader category of attacks where an LLM consumes poisoned third-party data.
- **RAG Poisoning:** Similar technique focused on corrupting the vector database used in Retrieval-Augmented Generation.