Cybersecurity researchers have shown that AI assistants with web-browsing or URL-fetching capabilities can be manipulated to act as stealthy command-and-control (C2) relays for malware. The attack technique, demonstrated against Microsoft Copilot and xAI Grok, has been labeled AI as a C2 proxy by Check Point.
This approach allows attackers to blend into legitimate enterprise communications while evading detection, effectively using trusted AI services as covert infrastructure.
How the Attack Works
The method exploits AI models’ ability to fetch, summarize, and interact with web content. Malware installed on a compromised host can use specially crafted prompts to direct Copilot or Grok to communicate with attacker-controlled URLs. Responses from the AI are then relayed back to the malware, enabling bidirectional communication without exposing API keys or requiring registered accounts.
Key aspects of the attack include:
- Anonymous web access: AI fetches data from attacker-controlled servers, hiding traffic within legitimate AI queries.
- Dynamic command generation: Malware can request reconnaissance scripts, system probes, or other instructions on demand.
- Adaptive operations: AI can analyze system data to determine whether further exploitation is viable, acting as an external decision engine.
Check Point highlighted that this technique essentially weaponizes trusted AI services in a “living-off-trusted-sites” (LOTS) manner, similar to how other services have been abused for malware distribution and C2 communication.
Broader Implications
The use of AI as a C2 proxy extends beyond simple command execution. Once malware can leverage AI services:
- It can automate triage, targeting, and operational decisions in real time.
- Attackers can bypass traditional detection mechanisms, such as key revocation or account suspension.
- AI-generated outputs can be used to design evasion strategies or dynamically adapt malware behavior.
This is part of a growing trend where adversaries integrate AI into cyberattack lifecycles, leveraging AI for reconnaissance, scripting, malware development, and phishing.
Related Developments
Weeks prior, Palo Alto Networks Unit 42 revealed a method to transform seemingly harmless web pages into fully functional phishing sites. This technique used client-side API calls to large language model (LLM) services to generate malicious JavaScript in real time. The approach mirrors Last Mile Reassembly (LMR) attacks, where malware is smuggled through unmonitored channels like WebRTC or WebSocket and executed directly in the victim’s browser.
Unit 42 researchers explained: “Engineered prompts can trick LLMs into returning malicious code snippets, which are then executed in the victim’s browser, enabling dynamic phishing attacks and bypassing traditional security controls.”
The combination of AI C2 proxies and client-side LLM abuse underscores an emerging threat vector where AI not only assists attackers but also becomes the infrastructure for stealthy, adaptive malware operations.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
