CYBERSECURITY researchers have shown that AI assistants with web browsing or URL-fetch capabilities can be abused as stealthy C2 relays, enabling attackers to blend into legitimate enterprise communications. The attack method, demonstrated against Microsoft Copilot and xAI Grok, is codenamed AI as a C2 proxy by Check Point.
It relies on anonymous web access combined with browsing and summarisation prompts, allowing AI-assisted malware operations such as generating reconnaissance workflows and scripting attacker actions, with the AI able to decide what to do next during an intrusion. The technique lets threat actors use AI services as a bidirectional transport layer, turning them into a channel that can accept operator commands and tunnel data out, without requiring an API key or a registered account.
For this to work, the attacker must have already compromised a machine and installed malware that uses Copilot or Grok as the C2 channel through specially crafted prompts. This approach, described as living-off-trusted-sites or LOTS, signals another evolution in how AI services can be abused in malware campaigns.