Cybersecurity researchers have revealed a novel technique that transforms AI assistants, specifically those with web browsing capabilities like Microsoft Copilot and xAI Grok, into stealthy command-and-control (C2) relays. This method, dubbed “AI as a C2 proxy” by Check Point, allows attackers to mask malicious communications within legitimate enterprise traffic, significantly increasing the risk of undetected intrusions.
The discovery represents a concerning evolution in cyber threat tactics, moving beyond AI’s use as a broad accelerator of attack phases to its direct weaponization as a covert communication channel. This approach leverages AI’s inherent ability to process and respond to web-based prompts, creating a sophisticated backdoor for malicious operations.
AI as a C2 Proxy: A New Frontier in Cyber Warfare
The “AI as a C2 proxy” attack method exploits the web browsing and URL fetching features of AI assistants. By crafting specific prompts, threat actors can cause these AI tools to interact with attacker-controlled infrastructure. The AI then retrieves commands or instructions from this infrastructure and relays them back through its web interface, effectively functioning as a bidirectional communication tunnel.
This technique is particularly concerning because it can operate without requiring API keys or registered accounts for the AI services. This circumvents traditional security measures such as key revocation or account suspension, making it challenging to disrupt the C2 channel through conventional network defenses.
Check Point’s researchers demonstrated that this approach can be used for various malicious activities. Beyond relaying commands, the AI can be prompted to assist malware operations by generating reconnaissance workflows, scripting attacker actions, and dynamically deciding subsequent steps during an ongoing intrusion. This implies a future of AI-driven implants and automated C2 operations.
The core prerequisite for this attack is that an attacker must have already compromised a machine and deployed malware. This malware then utilizes the AI assistant as a C2 channel. Specially formulated prompts direct the AI to contact the attacker’s infrastructure and return responses containing commands to be executed on the compromised host.
This exploit moves beyond simply generating malicious code or phishing content. It allows attackers to leverage the AI’s processing power to devise evasion strategies and determine the most opportune next steps. By feeding the AI details about the compromised system, attackers can ascertain whether a system is a valuable target and plan their actions accordingly.
Leveraging Trusted Services for Malicious Ends
The “AI as a C2 proxy” tactic shares similarities with “living off the trusted sites” (LOTS) attack campaigns, where adversaries weaponize legitimate and trusted services for malware distribution and command and control. This approach relies on blending in with normal network activity, making detection significantly more difficult.
The development follows closely on the heels of other research highlighting the potential for AI misuse in cybersecurity. Palo Alto Networks Unit 42 recently showcased an attack where a web page could be transformed into a phishing site by using client-side API calls to trusted LLM services. These services would dynamically generate malicious JavaScript in real-time, which is then assembled and executed in the victim’s browser.
This earlier research into last-mile reassembly (LMR) attacks involved smuggling malware through unmonitored channels like WebRTC and WebSockets, reassembling it directly within the victim’s browser. This bypasses security controls that typically monitor for executable files or network traffic patterns associated with malware downloads. The AI-driven variant discussed by Check Point takes this a step further by using AI interfaces as the transport and decision-making layer.
Looking ahead, the integration of AI into C2 infrastructure is likely to accelerate. The ability for AI to dynamically generate code, adapt to compromised environments, and automate operational decisions in real-time poses a significant challenge for current cybersecurity defenses. Organizations will need to focus on advanced threat detection capabilities that can identify anomalous AI behavior and communications, even when masked within legitimate services.