AATMF Advanced Tactics T9-T12 | Agentic & RAG Attacks

T9

Multimodal & Cross-Channel Attacks

17 techniques · 147 procedures · Risk 180–248

Attack across modalities

2025–2026 Threat Update

• SACRED-Bench (November 2025): 85.12% ASR on Gemini 1.5 Pro, 70.05% on GPT-4o via compositional audio attacks. Physical-world audio achieved 100% ASR on Qwen2-Audio.
• Steganographic injection: 31.8% ASR across GPT-4V, Claude, and LLaVA while maintaining visual imperceptibility.
• Agent Smith: single adversarial image jailbreaks one million multimodal agents via exponential propagation.

T9 Multimodal & Cross-Channel Attacks

17 techniques

ID	Technique	Risk	Rating	Procs
`T9-AT-001`	Image-Based Prompt Injection	240	🟠 HIGH	10
`T9-AT-002`	Audio Instruction Embedding	235	🟠 HIGH	10
`T9-AT-003`	Video Manipulation Attacks	245	🟠 HIGH	10
`T9-AT-004`	Cross-Modal Confusion	220	🟠 HIGH	4
`T9-AT-005`	OCR Bypass Techniques	210	🟠 HIGH	10
`T9-AT-006`	Visual Adversarial Examples	225	🟠 HIGH	10
`T9-AT-007`	Synthetic Media Attacks	230	🟠 HIGH	10
`T9-AT-008`	File Format Exploitation	195	🟡 MEDIUM	10
`T9-AT-009`	Multimodal Chaining	215	🟠 HIGH	1
`T9-AT-010`	Accessibility Feature Abuse	185	🟡 MEDIUM	10
`T9-AT-011`	Sensor Fusion Attacks	205	🟠 HIGH	10
`T9-AT-012`	Document Structure Exploitation	190	🟡 MEDIUM	10
`T9-AT-013`	Embedding Vector Manipulation	200	🟠 HIGH	10
`T9-AT-014`	Codec and Compression Exploits	180	🟡 MEDIUM	10
`T9-AT-015`	Temporal Synchronization Attacks	195	🟡 MEDIUM	10
`T9-AT-016`	Multimodal Model Inversion	210	🟠 HIGH	2
`T9-AT-017`	Malicious Image Patches (MIP)	248	🟠 HIGH	10

T10

15 techniques · 147 procedures · Risk 190–250

Extract data and breach integrity

2025–2026 Threat Update

• NVBleed (March 2025): GPU covert-channel bandwidth >70 Kbps across VMs on GCP.
• TEE.Fail (October 2025): extracted attestation keys from Intel SGX, TDX, and AMD SEV-SNP using <$1,000 equipment — compromising NVIDIA GPU Confidential Computing.
• MOLE (ACM CCS 2025): broke GPU TEEs using the GPU's embedded microcontroller.

T10 Integrity & Confidentiality Breach

15 techniques

ID	Technique	Risk	Rating	Procs
`T10-AT-001`	Training Data Extraction	245	🟠 HIGH	10
`T10-AT-002`	PII Extraction Techniques	235	🟠 HIGH	10
`T10-AT-003`	Membership Inference Attacks	220	🟠 HIGH	10
`T10-AT-004`	Privacy Boundary Probing	210	🟠 HIGH	10
`T10-AT-005`	Differential Privacy Attacks	225	🟠 HIGH	9
`T10-AT-006`	Inference Attack Chains	215	🟠 HIGH	10
`T10-AT-007`	Model Inversion Attacks	230	🟠 HIGH	10
`T10-AT-008`	Attribute Inference Attacks	205	🟠 HIGH	10
`T10-AT-009`	Data Poisoning Detection Bypass	195	🟡 MEDIUM	10
`T10-AT-010`	Federated Learning Exploits	240	🟠 HIGH	10
`T10-AT-011`	Homomorphic Encryption Exploits	200	🟠 HIGH	9
`T10-AT-012`	Secure Enclave Bypasses	250	🔴 CRITICAL	10
`T10-AT-013`	Audit Log Manipulation	215	🟠 HIGH	10
`T10-AT-014`	Data Lineage Attacks	190	🟡 MEDIUM	9
`T10-AT-015`	Anonymization Reversal	225	🟠 HIGH	10

T11

16 techniques · 160 procedures · Risk 210–275

Attack autonomous agents and orchestrators

2025–2026 Threat Update

• MCP tool poisoning (Invariant Labs): 84.2% ASR. Shadow attacks manipulate trusted tools without the malicious server being invoked.
• Critical CVEs: CVE-2025-49596 (CVSS 9.4, RCE in MCP Inspector), CVE-2025-6514 (command injection, 437K+ downloads), CVE-2025-53109/53110 (symlink sandbox escape).
• GTG-1002 (November 2025): first state-sponsored AI-orchestrated cyberattack — Chinese group used Claude Code for 80–90% of operational tasks across ~30 targets.

T11 Agentic & Orchestrator Exploitation

16 techniques

ID	Technique	Risk	Rating	Procs
`T11-AT-001`	Browser Automation Hijacking	265	🔴 CRITICAL	10
`T11-AT-002`	Tool Chain Exploitation	255	🔴 CRITICAL	10
`T11-AT-003`	Goal Hijacking	245	🟠 HIGH	10
`T11-AT-004`	Planning Corruption	240	🟠 HIGH	10
`T11-AT-005`	Multi-Agent Collision	235	🟠 HIGH	10
`T11-AT-006`	Reflection Loop Exploitation	230	🟠 HIGH	10
`T11-AT-007`	Environment Manipulation	225	🟠 HIGH	10
`T11-AT-008`	Credential Harvesting	250	🔴 CRITICAL	10
`T11-AT-009`	Persistence Installation	245	🟠 HIGH	10
`T11-AT-010`	Lateral Movement	240	🟠 HIGH	10
`T11-AT-011`	Data Exfiltration via Agent	235	🟠 HIGH	10
`T11-AT-012`	Resource Exhaustion Attacks	210	🟠 HIGH	10
`T11-AT-013`	Supply Chain Attacks via Agents	260	🔴 CRITICAL	10
`T11-AT-014`	Physical World Interactions	255	🔴 CRITICAL	10
`T11-AT-015`	Autonomous Replication	270	🔴 CRITICAL	10
`T11-AT-016`	Tool-Induced SSRF & Local Resource	275	🔴 CRITICAL	10

T12

15 techniques · 149 procedures · Risk 185–240

Poison retrieval systems

2025–2026 Threat Update

• PoisonedRAG (USENIX Security 2025): 90% ASR with only 5 malicious texts per target question. CorruptRAG: single poisoned text sufficient.
• RAGPoison (Snyk Labs): 274,944 poisoned vectors redirect all queries; Qdrant and ChromaDB lack authentication by default.
• Benchmark of 13 poisoning methods and 7 defenses: current defenses fail to provide robust protection.

T12 RAG & Knowledge Base Manipulation

15 techniques

ID	Technique	Risk	Rating	Procs
`T12-AT-001`	Vector Database Poisoning	240	🟠 HIGH	10
`T12-AT-002`	Retrieval Manipulation	225	🟠 HIGH	10
`T12-AT-003`	Knowledge Graph Attacks	215	🟠 HIGH	10
`T12-AT-004`	Document Store Corruption	230	🟠 HIGH	10
`T12-AT-005`	Embedding Space Manipulation	220	🟠 HIGH	10
`T12-AT-006`	Query Injection Attacks	235	🟠 HIGH	9
`T12-AT-007`	Context Window Stuffing	210	🟠 HIGH	10
`T12-AT-008`	Source Authority Spoofing	225	🟠 HIGH	10
`T12-AT-009`	Temporal Manipulation	200	🟠 HIGH	10
`T12-AT-010`	Feedback Loop Poisoning	215	🟠 HIGH	10
`T12-AT-011`	Cross-Collection Attacks	205	🟠 HIGH	10
`T12-AT-012`	Index Manipulation	195	🟡 MEDIUM	10
`T12-AT-013`	Chunking Exploitation	185	🟡 MEDIUM	10
`T12-AT-014`	Similarity Search Hijacking	210	🟠 HIGH	10
`T12-AT-015`	Metadata Exploitation	190	🟡 MEDIUM	10