This work addresses the vulnerability of large language model (LLM) agents to indirect prompt injection attacks, a threat inadequately mitigated by existing defenses due to their static or non-adaptive nature. The paper introduces the first structured feedback–driven iterative attack framework, which employs a rule-based diagnostic module to generate behavioral labels, an LLM-based optimizer that refines attack payloads using full interaction histories, and a seed synthesis mechanism that evolves attack strategies by learning from failed attempts. Integrating causal intervention and attention analysis, the study uncovers—for the first time—a threshold phenomenon in attention weights correlated with attack success. Experimental results demonstrate that the proposed framework substantially outperforms both static and state-of-the-art adaptive attacks on AgentDojo and InjectAgent benchmarks, achieving complete compromise on 5 out of 9 targets within the heavily defended Claude Code agent and significantly improving attack efficacy on the remaining targets.

LLM-based agents are increasingly deployed for complex tasks requiring planning, tool use, and interaction with external services. Their reliance on untrusted external content exposes them to indirect prompt injection (IPI), in which adversarial instructions embedded in retrieved data hijack agent behavior. Existing attacks rely on static payloads that cannot adapt to agent-specific defenses; even recent adaptive methods lack structured feedback to guide optimization. We introduce \oursys, a feedback-guided iterative framework that closes the loop between injection, diagnosis, and refinement: a rule-based diagnoser produces structured outcome labels with behavioral descriptions, and an LLM-based optimizer refines payloads conditioned on the full optimization history. A synthesis step generates new disguise seeds from failure patterns, enabling the strategy space to self-evolve. On AgentDojo and InjectAgent, \oursys substantially outperforms static baselines and existing adaptive methods across four victim models. Extension experiments on Claude Code, a production-grade coding agent with layered defenses, show that optimized payloads achieve full success on 5 of 9 targets; even those that resist full exploitation exhibit measurable improvement from iterative refinement. We further present a mechanistic analysis of IPI, identifying an attention-mediated threshold mechanism in mid-to-late layers; three causal interventions validate this finding and point to concrete defense directions.