Researchers Show Copilot and Grok Can Be Abused as Proxies for Malware C2
Cybersecurity researchers have revealed that Artificial Intelligence (AI) assistants that support web browsing or URL download capabilities can be turned into stealth command-and-control (C2), a method that can allow attackers to merge into legitimate business communications and avoid detection.
The attack method, demonstrated against Microsoft Copilot and xAI Grok, is coded AI as a proxy for C2 by Check Point.
It uses “anonymous web access combined with browsing and encryption,” the cybersecurity firm said. “The same approach can also enable AI-assisted malware operations, including generating inspection workflows, scripting attacker actions, and dynamically determining ‘what to do next’ during intrusion.”
The development shows another successive evolution of how malicious actors can abuse AI systems, not only to measure or speed up different stages of the cyber attack cycle, but also to propose APIs to create dynamic code at runtime that can adapt its behavior based on information gathered from the vulnerable host and avoid detection.
AI tools are already acting as a force multiplier for adversaries, allowing them to deploy critical steps in their campaigns, whether it’s to investigate, scan for vulnerabilities, create phishing emails, create artificial identities, debug code, or develop malware. But AI as a representative of C2 goes further.
It uses the web browsing capabilities of Grok and Microsoft Copilot and URL fetching capabilities to find URLs controlled by attackers and return responses through their web links, basically turning it into a two-way communication channel to receive commands issued by the operator and tunnel victim data.
Notably, all of this works without requiring an API key or a registered account, thus rendering common methods such as key revocation or account suspension useless.
Viewed differently, this methodology is no different from attack campaigns that have used trusted malware distribution services and C2. It is also called living-off-trusted-sites (LOTS).
However, for all of this to happen, there is a key requirement: the threat actor must have already compromised the machine in other ways and installed the malware, then use Copilot or Grok as a C2 channel using specially designed information that causes the AI agent to communicate with the infrastructure controlled by the attacker and transmit a response containing a command to be executed to the host back to the malware.
Check Point also noted that an attacker can bypass command generation to use an AI agent to create an escape strategy and determine the next course of action by passing information about the system and verifying if it is worth exploiting.
“If AI services can be used as a strategic transport layer, the same interface can also carry information and model results that act as an external decision engine, a stepping stone towards AI-Driven and AIOps-style C2 deployments that enable selection, targeting, and real-time operations,” Check Point said.
The disclosure comes weeks after Palo Alto Networks Unit 42 demonstrated a new attack technique where a seemingly innocent web page can be turned into a phishing site by using client-side API calls to reliable language model (LLM) services to generate malicious JavaScript in real time.
The method is similar to a Last Mile Reassembly (LMR) attack, which involves smuggling malware over the network through unmonitored channels such as WebRTC and WebSocket and injecting it directly into the victim’s browser, effectively bypassing security controls in the process.
“Attackers may use carefully crafted commands to bypass the AI’s security loopholes, tricking LLM into returning malicious code snippets,” said Unit 42 researchers Shehroze Farooqi, Alex Starov, Diva-Oriane Marty, and Billy Melicher. “These snippets are returned via the LLM service API, then aggregated and used in the victim’s browser at runtime, resulting in a fully functional phishing page.”
